From 10d3b4d1fbab8583a77c692450fec1e2335553ce Mon Sep 17 00:00:00 2001 From: Fredrik Eriksson Date: Sun, 17 May 2020 20:34:09 +0200 Subject: [PATCH] fixed manifest for feffe-policies --- sec-policy/selinux-feffe-policies/Manifest | 2 +- .../selinux-feffe-policies/files/feffe.if | 1 - .../selinux-feffe-policies/files/feffe.pp | Bin 94126 -> 0 bytes .../files/tmp/all_interfaces.conf | 285730 --------------- .../files/tmp/feffe.tmp | 5160 - .../files/tmp/iferror.m4 | 1 - 6 files changed, 1 insertion(+), 290893 deletions(-) delete mode 100644 sec-policy/selinux-feffe-policies/files/feffe.if delete mode 100644 sec-policy/selinux-feffe-policies/files/feffe.pp delete mode 100644 sec-policy/selinux-feffe-policies/files/tmp/all_interfaces.conf delete mode 100644 sec-policy/selinux-feffe-policies/files/tmp/feffe.tmp delete mode 100644 sec-policy/selinux-feffe-policies/files/tmp/iferror.m4 diff --git a/sec-policy/selinux-feffe-policies/Manifest b/sec-policy/selinux-feffe-policies/Manifest index 828c494..a80c3ce 100644 --- a/sec-policy/selinux-feffe-policies/Manifest +++ b/sec-policy/selinux-feffe-policies/Manifest @@ -1,5 +1,5 @@ AUX feffe.fc 0 BLAKE2B 786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e -AUX feffe.te 2775 BLAKE2B e99e4704905752c6d7a7a19ec86e5fa98fdeefb5ed4eabc5cacb028243d6abea7e5593a49a1f93edc0c45898b71de83c11fccdccf3d0346f98a3836a8c4120e2 SHA512 f5f2a643122e204fb0c44ea0fc4f91e518958b02c123fce4702dba267039c6d6392ef734ed255e847b068953b2a4e8f4d31763bf2ecd6bcc6fd68a5a3050da55 +AUX feffe.te 3721 BLAKE2B 047bf462701cd75059675ddb7a46cc6d12e8bfc9e56d295070a54b55c9dd772f457c05e3015b26de13f4921a0fca5427c1b8fabb68166971039a88b5057d8c4f SHA512 02ca8f161ba71cb4872cf70662591a312857dc75cbc9a128604ea6a65ea16977b4c4e11e9956daffe55164080a164989287cfa649a1d27095459928928d834c3 DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3 EBUILD selinux-feffe-policies-2.20190609-r1.ebuild 398 BLAKE2B 7bafc0298e6b5ac626897db6af7582f9d2ca91415601491c3c2df2310de1002321240268e381891dbc96b51f199c67968c049b8da4f8b4b64c5d2a693ed167b8 SHA512 653db292b47d94e6f39e8da102073100fbc41b28828b6550aca22ba9245329409e3a78b5c450e2fcfc9121a117c7c8021b99ff8c3d1dcb33d34173c06acfc687 diff --git a/sec-policy/selinux-feffe-policies/files/feffe.if b/sec-policy/selinux-feffe-policies/files/feffe.if deleted file mode 100644 index 3eb6a30..0000000 --- a/sec-policy/selinux-feffe-policies/files/feffe.if +++ /dev/null @@ -1 +0,0 @@ -## diff --git a/sec-policy/selinux-feffe-policies/files/feffe.pp b/sec-policy/selinux-feffe-policies/files/feffe.pp deleted file mode 100644 index 82db376e145c8ed0ec68cd7fc61903f0f153851a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 94126 zcmeHQ2b3gNbzK&jAac&oAi@e3u~WGOm zfKA3Zf{k;|IUAgF4&Wfa`)~c%RWq+=XLd)+N@xC=UsLz}bnnkqU0waA8(;gWTOB%d z=&<;EihtV+ZguDlV!Ml+U;DJivwOq&sm9f#?z~_4D2RSL@o=9deyvzrD{d_(E0-N> z%D=6yB?kDrmI2R||Mx0AOsoBQF&m9$8?EW6bG(=#t2>Avw8yuRe;12ykH^KZdy$;o zQT%Fe*uAa%zmxdRXgDl7GeksiXHv9h1y~`Mlat=8KvtkTDf;czqQ5p74G<0$y-{b@ zzrCD*&agcwTF4rCp(>_QonFMu?nPM@oz~Z_d;$q;=hrLrW zg4%9M!g%i%)7fOSiF_~#RVEG;T}~W0#kArRf<-aBeqPKAoFa3Vu})!PICQ1>>dZMA zO^XYppP*W9HUkl4;R5k!2;U_z`xg_85w|)F#>Heh8cH`nJ0sF;(jHFNiV4oq)SY&} zkFkq(mWD+?o)xENt-<;PCOCA12bUhW+jBuEL>4%70fbHlVh1fWK36*+l*6uvY*12h zs_4wmyuu+NmPf1s$OxltJ_M?*eaI2Zz{&Qkv(Y-)lQmd04-gyc6BiGxZPO_TW5`U3 z!RSQM!fFWqvo?bS9lA_B`U^bVxL^kX#)=MdaL*B69lf*OxN|Ui_rB#p-F7M6k*%;j~C#G+SBma&*5=X3<%#an8P5-F+VXf!$K^?UF2n8@I;X?#fOfya{(wy;?Lv4@l^vJUSpVgD=pc0ovr_MZ0E zr*ex1&~55_>z$2$7sCh{O3F#UH|Wg}6mPESPq4AYb_Baf zv8+wGp~oJZ`_tL+Vv{xyM5hoEz2OG-@8~Yw&7r&Q=*@bgA@YX2g#|lQY&F+Llj8_Q zS;BKFg3I{WQV&OMF$tXl(vU_9Io|8{0a32N;k@tehG8cyOsN#%*bkSNvCxXzKnWt& zUG%zJS%qBq6deSEge2EsD3$2r^`73flVCuUixgu~(hPcL`ApP=|2O5MLc`?b%>@;$ZiE7B?Kxz2F`v9_P-J zHJwj!2N+!oefMPhc+qP2+miwEghMw%necFHU1S9`pSn9LFuq89wHFN64!XcubOGPw zkCy606T!ocWy}_Cu7gG9qm%7Pw>6r(JK<;w+)+pKq0vyTZ%!YzH^dx(hO6D}7VPHj zYSSHjRIuld3Q*f{PZZxMz5K(-ZOI^+4Bg!ugvk85R<4O?5X{yB(d=lwHTlG%m|(zR za-MEZTdVTv4Hj0+-oUu=FB_S)-Z~~`gvj=$HEEwjZfyrTe5r zEOHM>K6gSQx5S7=^5~5)zn}|sx6ChCka17N@dHyZ#u|rZ9=!?)Fw?YnQwSNmaBd$sT8JahHqy> zY8I6Shuo@H7Hhq=(ZQv~XYwi^Jsu9d9wQMR?&fs8hmP#_fYLcP$D76o;i%=d=wP$A+sT;fFuVDkjm#HrE&=98(tfYwmu_IV zmy55aEH8Tkln?uGG?fX4yxheEW@ZfR;c#5BVy1+9g?Ll|JlyJd4TB%uOmbeA>7wl} zj1XV$wYJ=B1TH8G228bRP!s{o{W@YGOP9xFKEy-<_jK{q6~0?^Fzp>I^m|_D{TBV1 zTWYj7>9!B*bMLnmd=I^LOMQ+vMh88VJNdJGYUQC@YE-JzJ+(4ilPkc3uDbWGis=^a zD)H6Hbkdz3ROjBS)6b+&lIp}>-`~BRc4h|;=tzCI3$r>qer5V82U2feR9vbvJyvGP>v;aJu+=zw_K&ETPYHGqvj~e$6Cbzq|9)^P|g!uMwk4MUrmPLDT-nuoee^GwYk9G5%8Mc?1`#JxggV>hWmeKA%D8pgnA_%e*mPl|>jIAHn6~tBvB<=Sg>PaM$ZB zI=jE?_0;Y4Dqm4L=;(XjN&3q!d=7|xj=!p%ZVa%oz((I+9-p5tp5XEVByf3w|6sBB z)`_S0Y_V1cR=PTkJImqXDs zyTA9mhr4LL(yx&Ms%u_v-Z^ow<=Oj|2RjNl44mrILRjPuo)-E{J}u<0WpPu!+SA?s zue&}uk9XB>LD#Z=C-RalwR*gBaK&^MduBWc33o(%wUhci^YPK@tK{t;t$A@mzGZPR zLGOKn#>5QwV)4})KH+BQgKLqqz81lxhS|W+2zUxp9;%%c+pqQUL>v}M_q}rYrVKVA zNM3nk4X$6Xjj4PK2dP{Nc}m*PpzcfSh|3RP72?jreCVL(D^uEg72Q#i&dv# zc_jJ*nG$fFezSSP9CsPuaLG`8m{8{0-Wrs^SggzEaPCXz_)M)gbg&_(aQLS3j??v8 zZ&I9;_b*-`&2!6}vHjlJ4+s2*<7*x+kZQkKjS4@>w4@e693D>Ixw+PIx3Ccd_xaox z_TBfNF_I8Zzk&e+zFUENdKg8W@f_iRd{h_dF`)3uN?+n*OB?KPgJK}xzn#gwbKC-i zb%1Z^zPgxs8_g4#aCwqdBd?>dbQ<+tp}el?fI^@UxzQ>QmOtr zwj*!On2io7>B>WuQx*mn6Bj!Izh-5mNEmpnFuLSd3dpz)awXQ zFl`7IyjujyK?vDywEM0w(2yq~Br(W9p3s}PH`^g-|{mbc_$vcde(84bqx613crSuG}*(l8}?E8feAnC?bT8IzMb zW*d|t+oVFKH+fAXO29lNuVt2ptINF;mKrzd%5DmFnOkw=2YDj?iFUu&l^?j_>)#L= zmF!C|9}5E^H(3`mnTh+z4ih9M%9iZ9dYw&}KpnGc#pI??yo$Obzwgo>0HQj4_HFk9 zSTP)WnfPiKoDL42cJTXKze?@m9U%U8onQM5-SuuPNu=$yb19trP7@OI{V&(z}(2={H18 zA65S2Da+Pub6lV|;^Tv5*>)$rR=2==Tw61&F1XvdEK>}^*2ajxQzoNr=1Ra|!KheP z!XlOYv{TFd<{t`L7TuG<$bzzE@njsg+zXX4P?tqolXvhU9JR14j=Q7ewpCaNmc^1L zM`oA;9=by`d7K8(Kpr35EX(awchH)F6u$GlERw6Z?&^Fhuc}0i;eDWpYqj@qB=vM-S#dI5qm;G>89!VQ9j@t)Jh-UtRmLs%TrMWfW!Y}btr^DFB|F4Fg`Y$yhSRpZE55Z+ z^yTA_7T({_L4z--EGwzAE^iQ#cbB5yJ#2?~^22T%5E!&eGb`i)8<$mMhgf~t6}jPn zPPQy7_c13+#PdDNqPbq+USNQka9ONDF_jk>Y_#R4>3pxnCLR;#vLvo2cKSWcRprNZ z?&S$cw=B(Z{1T|2g^)R3+OjNit;t-^#67cRvCF{{MscW|TR;X5Xh zw{lAb%_NRIx;d1-IC4t>g3pnfg6pgtLmbD6@ECgdUn7n<2|nfw|GF@& zIK%%g41vpH#1xW*S#Bz3_~$DQUHmsFjvW3P#j(TRq&RW-1Bz3JzejQA@Q*0YokFxd zT!+Q~ED@lK{_BcK_YV~_{$DC4-G5e0y8o@1bU&-C-%dcfcTr5b_ft%|mnbG(tYvT= z7WY^m9FlITm~@}4m~@||nCY)mOu8+_q}x+Wx>LoZ`?-oq_lp&i?xkdVsKe~v;)5g7 z{RYLP`yR!l`w_*Y`vZ!Z-;XOM-CtBpy1%WMbU&e(bpKW{>4u&zv-@`+9Fy*iib?nO z<&f&cqc1G)X5R z-IE$ly024Ax?irCbiYb5%X^n%(tV#|()}*Qr2BMFm(f4wgHzJ|X~m@btBOhY_Z5@w zpDQNae^gAmpHfV^xAs#}%JT1|m~`)>m~@}#=`#4CJ~$)Y$0#PWD zRZP0CP)xe(ib?l+#pLrE#iWZXR=7^?Cay2^!8z%^Nipeuonq4c7R99dA;qNoeTqr< zM-`Lq&nqU~-&9Pxf2=q^hK4B{N7ex>B!A;WWg%I?O0y;&PF5Bd;olY!R-EDg7KUI2 z=h!#H$-;sR#tt~>@T(OE4u65-(BU^KjvW44#j(TRtT=J_gNjp!zgKbQ@W&PB4*#6T z!7)b{*AZ|X()kS{Ko|Xw6f^v<6qD}1C??(iQB1nG@l#bmx_4Dfy7yO1x(`=Ox|ewz zl5WH2&*C!;Cf%nfCf#Q%X8ac_Cf(0bOuDa9Ou940r2Bb_N%u<>lkQtRj!5^>o-T`f zy9Sf)w<;#xZ&ysZKd6}Le?l?o{*q$S{T;=m`$@&5`*(^-_dh(2NjLIznY|wzotShl z_A^;by7yE}x(`-NxE2f{=|0TkjCAn;HC%_$k7_XKCW=Y7shD)1shD(M zpqO-DshD&(6qBz1o$yY^@?Wdrr29o4=cM~`vXynmOD@%Z-=HC~Fl>jTnx)-p*2sbVw1TMn$8et_s z7_PG5I!yl>B0v}Y3l)bBze#cA@YgAh9sU-@iNhaKoI3n{iZh3QRB`SGc1c&34ygHg z9~vBU_%{`kJgy|+IwbqYM1U^(Un?g0e^pHK|ErkfZ|i5WfaLF{nB*UznB*U!ICtee z&f}1DbH$|lP+uPDJXM29_iDuqf01I+Z7U|-3)Y|()}UDjQ^90N%xl(lkV>-Cfz?(OuB!sm~{Ws6qD|C zib=Pnm~?xJNq4H4<$bPV(*0tObJBf_V$ywur_1Qypuwd39>t{l5yhnY1Byxa#}$+A zFDfS8-&RbzpHQ5;W##WYmUSk?I`bb3!-_NbN6X}rCJ5008(zW6F^4CLR~&w=;vht3 zxCIK=Vel6b0lMgKRvbC}^@?MM->o=t_``}*hreHO=J1ax&K>>*j|0;EEyd*XCyGfI zx5?o;RQoqXfG)d#Q%t)5rWx7_Q?=bN4(QBKgaG z?2zQIP)zarU zEdJgaOu7xlr2A;aj2|f`-OpA`y3bHdy3bckx-a)QA>B2_q&rqjx=l})#l2dCN%spB zlkOW8lkV3lX8LbdOu8RbOuFBzm~=nxaZ0*BrcN-@1dAAp@e>3+H5+|82cA#fd6+E@9|h~(d;nB?E5nB>1pG08ucnMrOgyN_uw z@lPuz`CnB`^1rW`T5L}1R{c{omU2zxtsVX4d zdnzW~2P-DsBZ^5k@HiyhCnzS}D;2Z+YZR02OBIvu!^u{zUmU%z29xekG3lOCOuDaE zOuAp8m~_9|Q8DShUoq)^w_@`7Va23-nWq~$x<8}Ar2A`%N%s#FlkQ(ACf$Eh zoV!UKPaeW`T<)Ltp)tu{5|TyHJEh2UNOVpt(bH_teAAaUoq+a zn8zvU{(@rC{Vm0$`zMM?_iq%F?z25z7XNP=OuGN4m~?OF=dG0S@2;41AE=mgAL(&M zy6&MMbd`*BFV}F=y+SeRK1VU>zR=TUaWB?j(p^U6x?ic7 zbl<6%bl3)u<%j`d@!KC|Bib?lZ6qD}nDJI=NQ=Ge1u!o&@V70X!{4Deb@+!AXAb|Q z;@sh1_BbHj-&IVyf2x>t|6Vca{-He%@(tVt#%iv$vVAB0V#iaX}ib?mM6_f6NdmNMQXZg7(Cf&Oz zCf)lfCf!RElh0!nlWy+m#;);G4JO?uD<<7%DJI?P6z6UYx~xu0B>z+`%@y|z8cg!tL;q;sPNlkV;Pyp=Ni9*Rl#L5fNDQ66Wc>z?_MB4k-{)$w=@C*7wh zCf(;MCf%1PCfyf#x-7n}DayXPVi)|K3+V7i6=x3rl;YgsU-38~-QQD8x__pa zbpJsy>He2u(mm{Frhs(ssF-vgsPSF#_txOl;f7+;eY9fIjXVxX_p=p~?lTmV?(-Fs z?#mUE?wVrK9V;f?M|!$U{%Q>--7io~x^GlWx?k&YM7rOsm~=m=m~_8aG0Xe7V$%IN z#iaWiib?mFr_1Pnq`{>7SBgpZUlfz>|9Bje?rr>B6qD{<6_f7$6_f766|?-y6q9bI zm~=1qbQ$~<4JO@ZD<<6+Dkj~}@i-yfS1BglnPSrYJjJB@C5lP+t%}L#?TShF3Qsq2 zef3*4m~_8gG3oxG;@mBuxAVze>YwnTDarqmVv_$I#U%ep#U%fCib?)I6qEcRKQW~w z{~Rsd6@Re?ll(mull+4fv#yVLoRO}39!av4WyR(91Pv$MD;1OOHHu01rHVxx>HeaX`Aiub6cITruhXqhiwilw#7owV#;+ z(!G;n(!Gyj(tVJocXS@A!I{I4QB1nA$06xHNipeOrI>WDRZP0CP)xe(ib?l+#iaWh z#iaWvPnX$!p$3!gn-r7o*LfU~?zbo=-47`y-S1P({C`w2>HfT8()~@vr2EH;Nq5E5 zW%9q)VAB0p#iaYc9>=76TR&CBqY z^f)EmUsg=IzpI#Z|5P#Q{=H(-{ZGZDdn-Q`rQ~x5#iaXOPd9Z#>s}g6x(`vDyXF7( zKDvv2sSnLa-aT$4F=SbB;ZM|Xl7G5ll7F6Jl7E?Ek}njK{75m$zeL%%;x;vy-r5I=cM~Jib?mI6qD`;6qD}vC??$>QB1l&tC)0uT`}o)JYCZHLk%X~zf_#NRpehh zmSrW!vhqI*!%B{2W#}_pIp**w#SDMF;=qM}h2qfRuT~s6{EdoZhu^O_arnCxrw;$H z;w%TZdn$IpKeK=i|C+}E>HdLY()|m?r29{bN%zx=N%tZ@GXZs={6OU?lTpW?h6!??kg3O?uKI0ohT;V*D5C6FH%gpM?76-|7Hy) z-LLmJBHec@CfyG!Cf)B>%=~^#G3ow-V$%IB#iaWuib?lx6q9b?=`y>2(_qs5KaXS5 zy`7)9V$!|4V$yw}V$yx2V&;ELG3j2em~^jDOuEleOuA3-bea6c8ce#Y9w(&RS4_Gm z6qD|0#iaXXib?k?6|=l|Dkk0cDkk0UR7|>8db*7MQ4J>DpYk{*-Ct2my1%EGbpK2- z>HdRa()};Rq`{>mDeQB(jjWq4?PvPP)%f zOuElkOu8>uOuB1|Nq4N6d|s`XbYJS}X0G@z(BRzdRxb9zF7%B)G$;A5RZQ~VteE6K zsF>uxS24+dTrtW2oMMvy4aFq?M~X?ltLz-TztZ45$C&dTvC1H|0beEFU+gyJ9KIZ@ za(1YJLlcLJYsxu%C7$aruvHzx%iGC!MH#@&(pS-RP;D5F|GK2B3kD*Se!UD&qF0&$B7#@E*(QIhTRDy6d5f?&|YI{_q~l>F&xX6CiEX!MtB( zI3ki?vs!?hql`O>zv1$Wly_4w{9bkJR0eds=+H&}o~_G&zstCjlyOVYfxdf#JfGp~ zAN2(9v7GLzUwx+AW534vPC8J=EuqaZK5ob^@}EiEB;#WjW3VAKT-o^VT~kiregA97 zIb72n7YBsnO3|-V2x*qyrxm!XzANz#i#N+an_nvnh|jZG#`9RrCKTg{d_ok$+a9LVLwSFYY zIhBEpLKB%(+pqnI4t~|6%9CrjtiuW2KY2_sJNz_!&loJ=de|sZ;vzV+ZssI z#G&Gvat^=SGR`ocHzccbDg*7YAA6BQhrwh!7wA0Lf7aW4r!{=P#>e?61MQ7+nmDPr zU5<}k&+R*v@uI`~vi2?2v0v?h>RF}(Wn8xp*8^uN;|$kl4Ww`4P;pH;hu8V)+{SrB zvO1?ScF`WYE29+D1fhz9dB4hV9bEEjR`SQ`&8-Y@Ue}f1&8u#Wi3<=w2u~PFq}1m%F%D zYglQUVuY`>$7zAv^dfv0W}TI740SvW$i!-&{y= zXVBs6su~14{9*C;F3*9RrN=oP&zc^V|Esuqj$ouXBL4ojyOs8rreOHp$FR@&FE47k9o7M5fI$jsFJ>ztC}7kX;7q zYUlevyDj5<)YbVY<20(u)t@^l52yvy)y|(!?6$5>yIh;@xH$MS_NP7E^kC{Z^S*Jn zI+mBQe`9dxGWMrEb}qxW2Wkav2G1IjlkyC+8{n?K-Cxnp z{$91soh+J&S8>fH=P)bxhF89~I%$@9$Ukv>ilgby7YCGq{m4b-U`)@JD!Y4@j$GwerPW1{S;YYKp0aA^p#b@;k+5y}J7 zdH;~|96`;}`+R}nn(nwb0K@xuhfWI+*L26l0pS=gr{%=QZ3>33Vu9PzA`ZNdw^JF= zxG!ZKmW;$T-EnaMhcn&Z@M-*ipBflmb?i`vZz~^nYg%BqraLYU!0r}6)NVqkdHaaw@5raLYUUWZ>p5YjBYPYVp!bjQU37~aP_bXb76 zraLYU2)|ji`Dt=*@}C}kUG21{`!xQ)PYevNb@e&{;+pQbIQTO5r9H~btupqlJ$5K# z-^RxdWt?fR=(YR*he`(wuk8UKuIY}8gKv+W?)myO{=ZKR48PklcDkp9eBheyxHtgA zYZ(mz;+pQbI3WDd;tz}Wahq}uU&R8qr9~WgAMa2@fVieRE)EDs8TjwxHsu_?iUn>< zi#YH;p8K$(w8=kp2)~O%O^w?W4DZw89Iok(ivuvck5_K*w#7p@o=e5E&OUBa&f%+A z;I_1g1MlNu-vifl$Hf8R_|E0NlyR8(Hu+DFC}ZEo`3`05+c+;P&C;=7Wt=W+$0}pL z>T0Jl&W8?^u^)5EXIe+~`cNdfG1Qd*er(|!uIY}812DXgcUsQjn(nwbAbh{pkJDwg z&GNthhcbMddz*j$61Z7<&sE^Au2Xz`q^~-!37_`z>h-261DbX!<8Vo;S^oF`fZ;v= za(Xn|=1gT&^+}fMnsNs3%i!G;+Qh8R*A@CeHLs>%pSEh(gmQv7@IGEc&f%KwxHupj z?X3|PLAAI|v7Z)ySUlW~rEBusy{ru9@V-nRcdH#qaV-kFcTG8g_i0(Tv{mgs95$?7 zzV5d0aqzT6@%E2b&QXZBH!J6-E9W1toF5V)8ozRWx^n*U$~hKIjbAxGT{-`F<-8@_ znx&UwopTjb+M4oT?Kj?N*7c1~a>=&mBSa9=EWPF<<-;{gul5^nbX9NIT?t$5KHXNk z6zhV{zx^SH;I@~0!xFobWyH7bWwmXKzs$~_Zt+>hbD7=dvo!y*VYb%8Ql88D!!rAl z{LAjSt$y}yUsew{ENRDO@o#hrw${UPK6XCb)1P}gGWYHIP}O$(GM>xE-7@==T&-=- ze`$XxCzP%AwqNzIwBME!-_~+(>iEm*ZJ8bOJF0Xm&t>&oM&B0y#wGQ9Q|mp*AFYRV z`XTOrQ;zVyy$|eC8RC}B53IHA{eM}#RmTN$X4<`;Hzk2@qv{^f%E#Nz^?yq;z&>-e zKQCsZ(QKnN9d(WuGw|>pFAfrK9ieu#zqLPG6vIi_nIc3;~m5{ z8Og8NZ!ZiN1gpJaw{S1u@CndV-CoUve8)vS8uFd>#vLPHTuiL?kGIx(efPdwpEK;8 zjmb7UN|c;@H2jCg-uTp#%==P1TQk3}r0_M@84ZU;XEvG`>CxKb$*5CIr_}=Sh28dS zFg;-jg4RxZ++OYVd$Y};n(nX!t+}_udn>39*Q{(%-{bbyCWm!<+aMPyvNfL;lVOc1 zZr`l+)<)ZE0IjsOR$v>By4#wetbv*oG{frHy-Lz+L9KL)j?}ABlc<&6q}w)vkZ!y& zveQ-j_;9U1S~oI){7H9egrL-EXJ&POBs$f#LLlvU;ohd~rB(Zj@RW+16;^+#vh7Vf z)1JWzPiXnRCnK}lYg?LduXR4`NvEDoiuSIWkaBX!%zL(RID?XFMEh6Tyv9jiw0hCg4U$49HLl4+|oFHRIgYs8^-PdEnlgn`jN z-JH&fS`Akl?bO=DVu6e&rzYlX&I%qH^-;~ZJDgaIt8KVm42wz6YUy(F9WR}H+oyuq zAb_{<`pU!5oK4!pDf+At7Zp8PosRm23>=@RH%``08j+#dF4A?6Y1gU_*T}`Dksa=g zNs+zU+}f}Rt@S3w$#!4H|F*4xn^WEDVFaS=aWPqIxvou%8 zsG2YVT`x=VWM)l;$Z9rUCVg(syx8!x$78AWw(JPDtGbtj`_|}8HpjD(5y^GW_Q{?# zwWC4WQ^~m3p7loVcUin51a;cIH6up|^~G){g{#xbL^$5EbhufpKE~W4zHQ{8!rFan zEpXkaGq42RuR?9Dx7zBDM#tw?L~N&~MQ1*dJ&Bi$|0s1ju*MlSD@aw&Gwz2^d`g#_ zQ_!mI{T?ClQCqSq%vvYflh#CfK&>BfL((r=v(0gB!9ufjC%sm;z*1IEgoy!ro7To? zP_$&jHp7&+H3u}rB9`n*>zRPFl{v;+G3(SLyY11mZbP$SdsMe#izw6R+Lp*L&j#bI zW)ya+JE&&?>5h1Jbw2IZ!`z%Wl3`S~om)<}NkpxuitOivqQ^cRbdOAk{0s)1^+R)x!$xolhN>1qt$x2 zBZKyx$mLEw2uay=$E9C&d(-3f@cT>nscC0Y6vJuz1o}zQmkF*_oGP}oD>^}ET{cAH zdJbq8xw@$v(cqmz7KoY-MD5E^s~OSUZqlxsk%OznT4XGRgJLQhqK&p(Pg$*o?VD?v zPQQn~&MSd>=9uG;%baWu8MH;MN@@%cTDFDJ=P=FI(w5a(%L2XN6gHkBpcWu@cLk62 zcCA=jD_XU@WH;M&;~4Xc?;m)(2;-t_w5FRwX}8g~Xi&^(QmHK&N7X!#7x46$&lUgi zc@3{4#VkB1XKJYBn@AY?iT}x{MjrVlvBmMB1!)p^-K+Y_VZW3|ng0GQ*bF zY_4VudO^JsoQ%Mb7FcNwX@MavFr)>Bw7`%S7}5emnn5Krq=kmG(2y2d`5DqeLt1D^ z3k_+ZAuTkd8O271w8)Sa8PXy{T4a@BNQ(?ivmK)M? zLt1V~%MEF{AuTtg<%YD}ke1hVxIMs1b;0+Gd(Ft@`B=?XMqIIsLCwf*Ma{$v>uG7L zC#5Yk(nf|YHf)JuOAT9Q*z)bRpk4{w7Z}kDX@MavFr)>Bw7`%S7}5emT3|>E3~8Yu z&7c<=(n3R8Xr(ozg@&}ykQN%!LPJ_;NQ(?<29?N=78%kaLt13zXGn_-X^|lmRej4X{jMCGo%?wGecTtNXraqnISDRq-BP* z%#fB@{0wQiAn+V(sDyuUgzvr{MrYZes!-I%WXi-Rz?hJ z#&UVD*|-a+naUO4u!V*#GHkJ7OAK3T*fPVG*KBTgRI@n7!7;-dF+w9t@dP!0`gp%u@N78=q*Lt1D^3k_+ZAuTebMTRtk zUSvp%3~7;-){qt%(jr4zWJrq)X|W+KHl!I;VnbSNNQ(_=v6Y`8EjFaZhP2p_mKf3! zLz+=+Vn|C2X^9~%F{C9{8HTjPkd_$IQbSs5NHdB^4QZ(%Ej6U2hP2d>mRjW+(o#d3 zJRVWKrgT$FW=J!#%M59mAuThcWrnoOkd_(JGK-5LEjOg)hBPawAuTtg<%YD}kd_hwx{130Lt0=+3k+$2AuTYZ1%|YsF3oLkwu=o7v7sS0tSfWvXb1}}n;|wd z#D<30&=4CMV#B&vSMiY{Ei$A7nX@MavFr)>Bw7`%S7}7#RT4+cM4bGthyXTo*NjMV8GF8yR9FLu_P-jp|}u zCC7%e*pL<*(qcoJK{+<0#a28+T5L#*4Qa6f5 zNJ|W9sUa;jq@{+m)R1OSNeyYKAuTnerB;51wA7H68PYOCT4qSg3~5HOnISDRq-BP* z%#fB@Wf;*RaSKp0vDnzKC5A0EY?)!px7&hahRu)`7}5emT3|@Ck{Z$iLt0=+3k+$2AuTkd zg@&}y;1?RwLPMGr&5#xv(n3R8Xh;hUX^|lF*d};hS=B;8yjNdx-vKV3}LZlGsMP**w_#o*TuRDO$=#?AuTbaC5E)b zkY-R$3~7lK&ybcF(h@^jYDh~BX{jMCHKe76G=pAhNJ|ZAsg>4{mKxGBLt17?%M59m zAuThc8B{VuT4qSg3~8B_pCK(bq~(UR+>n+V(sDzZRjeT`H>Bl;wA_%E*URwBePS*5 zHDkHl8@3h078thButkO~uGzQ+sF_G5F>I+}%M4q--4+}(Y=*SJkQNxy0z+D0NVBpt zqy>hwz>pRg(n3R8Xh;hUE}ks&QIq(z3b*pL<*(qcneY)Fd@&aok_ZgOKSHl)RdwAhdq*QL3g%=VF%7-ADc zY+{H_46%tJHmNIf6N@1%v22Fe#1Na*#k$H%4QZ(%Ej6U2hP2d>mKxFw%BdkOwc;7l zQbSs1NXraqnISDRq-BP*%#dc#%M59mAuY4g8q#t@T5d?o4QaU{EjOg)hBS+cAuTtg z<%YDpo}XXtQ){`e8O!C~u&o%jz_5jeEi!DeVM}T@ZUJg0(n}3nX4vxWw&0jyGo%HE zw7`%S7}5emT3|@CiZG-FhP1$t78=q*Lt1E*8yeC=Lt1D^3k_*jc80XjkQN%!B12ka zNQ(?nbWUq-BP*%#fBD(lSF@W=P8nX$IxYkd|5T3~9L`EjOg)hP2#} zmK)M?Lt1V~v*;Ppazk2PPwSWa%v$bi#&WqgY%7K>Fl?b=iws+A*b>8*)@Txv4QXjzn%l{2pC2B+*Fl?b=iws+A z*b>8*8n&!v;})Q1qKtgIEjVV_3~7NOEij}7hP1$t78ue3Lt0=+v#1!-LPJ_;NDGbp zLPJ_;NDB>Vp&>0aq=kkwt5`!?WJrq)X^|lMD|0JdT^M&Qb(_3z@6elXeC?+$ zx%iUC74mjlyq0~lF>cS~b=$*f)2Hp}XmSW;kF{ev?cqj=pd#1T~Cx;@RU#!pj?MVY~xU5hD+%HZp>s`?CR6*<7 z&B5xZ-|IB+GXND{{meI-sT40dAf<3k|f=cH1ez=?|vW78V?UHmw8CS2cr}6qH#&fQ8S8rEY<}Sf5#*_Q~%5nzHPF^LJMjMWXk6o;M)o7O? zHy7_Yh~wVEUCUl0YS4d)CH}9xRP;t^2WyrNP$?$CKU(X}Wb;TN-=zS5GYFf`CLiw@S9jT(c|Tt+rpVLs$J zJDYo5`gBnl)npjn^J#CmUaHz5n!M#&-d!&-T?xBOQ)XSQ+&z|X4oTf_6YR0Lvq)36 z_n9k@m9Ztdn?y#^xbAlWrZT|WGTcYq-rA;2;_X>+rgqy+e)5YFcwhFJGMvh9skjEl zNb0T2>as)aQO&ikb2VPrxayjxx^Z0HAzq<7UB7?!q2+&c;@a-^2zsnruP`OZ4qz-> zajArEL*5E0Z*Ex$x8&d?(~Tm=1LR zR!f3%wr#Sckm}~DmcSKZZh$0Jb>mY{wYRzD+HoPjLeZ}*4On8ZM7iRxo60r<`vy18 zPs-0W6ms=~nFjpj<*W3so3H|}*p$7iRNwX; zx$Dfk>0Cw+63NfU2$0pWka^HI4t|cT(Uq;lIp%#0f7q?j#!kB@TXi@0`oZ#Pku@Q>0H9z zn*2iFn(T$flcTfAylAcB>hkEC%o*i5Ga5uvo3cU1rHI@5&SY1-SmRpwJukVTP_$Yu z+wOcY*d#}6ae6~p$YhTro2-+Fby-7pFEVzep`^`<$wank!`V?;iyhZaUw%?h>Q#2g zLVYU5V&lAu8#VYrLHRY8t_*_-Zuj&zOA>pjLfL(fNBxuS$?%BO#k9R%-jH!Dge5|- zpq7EGti2Z?y3G8CP%Im`GW)X-AU}5Hes}B$ek%l5fwF5AQN2?~8x#2rD*5pjsmwut zD!=rx)}Hrgefi<0J}ok*uS@io4LVc#9g$hFKAQB3=_|N+?^2`8Ez%Sq;eJ}@)a*$4 z|0v3o?FcTiPsk4k9W{&DQz_E&?q^w!aHc(qpJyO%9 z3>Vpl!HSENIqqffo(MSXT)wN$D`mQBcimM6789QbE_4PmA3G(x%todx=?d~Eo71(n z{8H*s^iF?YOzy1cVlgSMpUb64!!1cHqQPGlYOKwN9o$Hh&LZ7P2t|#Pa{s;|>lifi zMi08(noQ?daT;xattzy;-_f1kW zGS6W7X>d*B`H~BW&GJoifes$Bu)m|)pPclPtx#>BX^yHomQSystem shutdown command. - -######################################## -## -## Role access for shutdown. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`shutdown_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shutdown_role'($*)) dnl - - gen_require(` - type shutdown_t; - ') - - shutdown_run($2, $1) - - allow $2 shutdown_t:process { ptrace signal_perms }; - ps_process_pattern($2, shutdown_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shutdown_role'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run shutdown. -## -## -## -## Domain allowed to transition. -## -## -# - define(`shutdown_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shutdown_domtrans'($*)) dnl - - gen_require(` - type shutdown_t, shutdown_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, shutdown_exec_t, shutdown_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shutdown_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute shutdown in the shutdown -## domain, and allow the specified role -## the shutdown domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`shutdown_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shutdown_run'($*)) dnl - - gen_require(` - attribute_role shutdown_roles; - ') - - shutdown_domtrans($1) - roleattribute $2 shutdown_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shutdown_run'($*)) dnl - ') - - -######################################## -## -## Send generic signals to shutdown. -## -## -## -## Domain allowed access. -## -## -# - define(`shutdown_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shutdown_signal'($*)) dnl - - gen_require(` - type shutdown_t; - ') - - allow shutdown_t $1:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shutdown_signal'($*)) dnl - ') - - -######################################## -## -## Send SIGCHLD signals to shutdown. -## -## -## -## Domain allowed access. -## -## -# - define(`shutdown_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shutdown_sigchld'($*)) dnl - - gen_require(` - type shutdown_t; - ') - - allow $1 shutdown_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shutdown_sigchld'($*)) dnl - ') - - -######################################## -## -## Get attributes of shutdown executable files. -## -## -## -## Domain allowed access. -## -## -# - define(`shutdown_getattr_exec_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shutdown_getattr_exec_files'($*)) dnl - - gen_require(` - type shutdown_exec_t; - ') - - corecmd_search_bin($1) - allow $1 shutdown_exec_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shutdown_getattr_exec_files'($*)) dnl - ') - -## Ruby on rails deployment for Apache and Nginx servers. - -###################################### -## -## Execute passenger in the passenger domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`passenger_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `passenger_domtrans'($*)) dnl - - gen_require(` - type passenger_t, passenger_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, passenger_exec_t, passenger_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `passenger_domtrans'($*)) dnl - ') - - -###################################### -## -## Execute passenger in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`passenger_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `passenger_exec'($*)) dnl - - gen_require(` - type passenger_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, passenger_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `passenger_exec'($*)) dnl - ') - - -######################################## -## -## Read passenger lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`passenger_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `passenger_read_lib_files'($*)) dnl - - gen_require(` - type passenger_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `passenger_read_lib_files'($*)) dnl - ') - -## Policy for dmesg. - -######################################## -## -## Execute dmesg in the dmesg domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dmesg_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dmesg_domtrans'($*)) dnl - - gen_require(` - type dmesg_t, dmesg_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dmesg_exec_t, dmesg_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dmesg_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute dmesg in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`dmesg_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dmesg_exec'($*)) dnl - - gen_require(` - type dmesg_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, dmesg_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dmesg_exec'($*)) dnl - ') - - -# This should be in an ifdef distro_gentoo but that is not allowed in an if file - -######################################## -## -## Execute dmesg in the dmesg_t domain, and allow the calling role -## the dmesg_t domain. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dmesg_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dmesg_run'($*)) dnl - - gen_require(` - type dmesg_t; - ') - - dmesg_domtrans($1) - role $2 types dmesg_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dmesg_run'($*)) dnl - ') - -## Abstract Machine Test Utility. - -######################################## -## -## Execute a domain transition to run Amtu. -## -## -## -## Domain allowed to transition. -## -## -# - define(`amtu_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amtu_domtrans'($*)) dnl - - gen_require(` - type amtu_t, amtu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amtu_exec_t, amtu_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amtu_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run -## Amtu, and allow the specified role -## the Amtu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`amtu_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amtu_run'($*)) dnl - - gen_require(` - attribute_role amtu_roles; - ') - - amtu_domtrans($1) - roleattribute $2 amtu_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amtu_run'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an amtu environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`amtu_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amtu_admin'($*)) dnl - - gen_require(` - type amtu_t, amtu_initrc_exec_t; - ') - - allow $1 amtu_t:process { ptrace signal_perms }; - ps_process_pattern($1, amtu_t) - - init_startstop_service($1, $2, amtu_t, amtu_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amtu_admin'($*)) dnl - ') - -## Standards Based Linux Instrumentation for Manageability. - -######################################## -## -## Execute gatherd in the gatherd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sblim_domtrans_gatherd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sblim_domtrans_gatherd'($*)) dnl - - gen_require(` - type sblim_gatherd_t, sblim_gatherd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sblim_domtrans_gatherd'($*)) dnl - ') - - -######################################## -## -## Read gatherd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`sblim_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sblim_read_pid_files'($*)) dnl - - gen_require(` - type sblim_runtime_t; - ') - - files_search_pids($1) - allow $1 sblim_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sblim_read_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an sblim environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sblim_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sblim_admin'($*)) dnl - - gen_require(` - attribute sblim_domain; - type sblim_initrc_exec_t, sblim_runtime_t; - ') - - allow $1 sblim_domain:process { ptrace signal_perms }; - ps_process_pattern($1, sblim_domain) - - init_startstop_service($1, $2, sblim_domain, sblim_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, sblim_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sblim_admin'($*)) dnl - ') - -## Digital Certificate Tracking. - -######################################## -## -## Domain transition to certwatch. -## -## -## -## Domain allowed to transition. -## -## -# - define(`certwatch_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certwatch_domtrans'($*)) dnl - - gen_require(` - type certwatch_exec_t, certwatch_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, certwatch_exec_t, certwatch_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certwatch_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute certwatch in the certwatch -## domain, and allow the specified role -## the certwatch domain. -## backchannel. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`certwatch_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certwatch_run'($*)) dnl - - gen_require(` - attribute_role certwatch_roles; - ') - - certwatch_domtrans($1) - roleattribute $2 certwatch_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certwatch_run'($*)) dnl - ') - -## Linux hardware error daemon. - -######################################## -## -## Execute a domain transition to run mcelog. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mcelog_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mcelog_domtrans'($*)) dnl - - gen_require(` - type mcelog_t, mcelog_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mcelog_exec_t, mcelog_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mcelog_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an mcelog environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mcelog_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mcelog_admin'($*)) dnl - - gen_require(` - type mcelog_t, mcelog_initrc_exec_t, mcelog_log_t; - type mcelog_runtime_t, mcelog_etc_t; - ') - - allow $1 mcelog_t:process { ptrace signal_perms }; - ps_process_pattern($1, mcelog_t) - - init_startstop_service($1, $2, mcelog_t, mcelog_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, mcelog_etc_t) - - logging_search_logs($1) - admin_pattern($1, mcelog_log_t) - - files_search_pids($1) - admin_pattern($1, mcelog_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mcelog_admin'($*)) dnl - ') - -## Advanced Linux Sound Architecture utilities. - -######################################## -## -## Execute a domain transition to run Alsa. -## -## -## -## Domain allowed to transition. -## -## -# - define(`alsa_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_domtrans'($*)) dnl - - gen_require(` - type alsa_t, alsa_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, alsa_exec_t, alsa_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run -## Alsa, and allow the specified role -## the Alsa domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`alsa_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_run'($*)) dnl - - gen_require(` - attribute_role alsa_roles; - ') - - alsa_domtrans($1) - roleattribute $2 alsa_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_run'($*)) dnl - ') - - -######################################## -## -## Read and write Alsa semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_rw_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_rw_semaphores'($*)) dnl - - gen_require(` - type alsa_t; - ') - - allow $1 alsa_t:sem rw_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_rw_semaphores'($*)) dnl - ') - - -######################################## -## -## Read and write Alsa shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_rw_shared_mem',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_rw_shared_mem'($*)) dnl - - gen_require(` - type alsa_t; - ') - - allow $1 alsa_t:shm rw_shm_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_rw_shared_mem'($*)) dnl - ') - - -######################################## -## -## Read Alsa configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_read_config'($*)) dnl - - gen_require(` - type alsa_etc_t; - ') - - files_search_etc($1) - allow $1 alsa_etc_t:dir list_dir_perms; - read_files_pattern($1, alsa_etc_t, alsa_etc_t) - read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_read_config'($*)) dnl - ') - - -######################################## -## -## Manage Alsa config files. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_manage_config'($*)) dnl - - gen_require(` - type alsa_etc_t; - ') - - files_search_etc($1) - allow $1 alsa_etc_t:dir list_dir_perms; - manage_files_pattern($1, alsa_etc_t, alsa_etc_t) - read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_manage_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## alsa home files. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_manage_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_manage_home_files'($*)) dnl - - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_manage_home_files'($*)) dnl - ') - - -######################################## -## -## Read Alsa home files. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_read_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_read_home_files'($*)) dnl - - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_read_home_files'($*)) dnl - ') - - -######################################## -## -## Relabel alsa home files. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_relabel_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_relabel_home_files'($*)) dnl - - gen_require(` - type alsa_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_relabel_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the generic alsa -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`alsa_home_filetrans_alsa_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_home_filetrans_alsa_home'($*)) dnl - - gen_require(` - type alsa_home_t; - ') - - userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_home_filetrans_alsa_home'($*)) dnl - ') - - -######################################## -## -## Read Alsa lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_read_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_read_lib'($*)) dnl - - gen_require(` - type alsa_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) - - ifdef(`distro_gentoo',` - # gentoo saves the files in /var/lib/alsa/oss/CardName - list_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_read_lib'($*)) dnl - ') - - -######################################### -## -## Write Alsa lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`alsa_write_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_write_lib'($*)) dnl - - gen_require(` - type alsa_var_lib_t; - ') - - files_search_var_lib($1) - write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) - - ifdef(`distro_gentoo',` - # gentoo saves the files in /var/lib/alsa/oss/CardName - rw_dirs_pattern($1, alsa_var_lib_t, alsa_var_lib_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_write_lib'($*)) dnl - ') - - -# Gentoo specific for now, but cannot use ifdef distro_gentoo in an interface - -# alsa_domain - see http://oss.tresys.com/pipermail/refpolicy/2014-March/007029.html -# http://oss.tresys.com/pipermail/refpolicy/2014-April/007044.html - -######################################## -## -## Mark the selected domain as an alsa-capable domain -## -## -## -## Domain that links with alsa -## -## -## -## -## Tmpfs type used for shared memory of the given domain -## -## -# - define(`alsa_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `alsa_domain'($*)) dnl - - gen_require(` - attribute alsadomain; - attribute alsatmpfsfile; - ') - - typeattribute $1 alsadomain; - typeattribute $2 alsatmpfsfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `alsa_domain'($*)) dnl - ') - - - -## Generate debugging information for system. - -######################################## -## -## Execute a domain transition to run sosreport. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sosreport_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sosreport_domtrans'($*)) dnl - - gen_require(` - type sosreport_t, sosreport_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sosreport_exec_t, sosreport_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sosreport_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute sosreport in the sosreport -## domain, and allow the specified -## role the sosreport domain. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# - define(`sosreport_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sosreport_run'($*)) dnl - - gen_require(` - attribute_role sosreport_roles; - ') - - sosreport_domtrans($1) - roleattribute $2 sosreport_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sosreport_run'($*)) dnl - ') - - -######################################## -## -## Role access for sosreport. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`sosreport_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sosreport_role'($*)) dnl - - gen_require(` - type sosreport_t; - ') - - sosreport_run($2, $1) - - allow $2 sosreport_t:process { ptrace signal_perms }; - ps_process_pattern($2, sosreport_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sosreport_role'($*)) dnl - ') - - -######################################## -## -## Read sosreport temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`sosreport_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sosreport_read_tmp_files'($*)) dnl - - gen_require(` - type sosreport_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sosreport_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Append sosreport temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`sosreport_append_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sosreport_append_tmp_files'($*)) dnl - - gen_require(` - type sosreport_tmp_t; - ') - - files_search_tmp($1) - append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sosreport_append_tmp_files'($*)) dnl - ') - - -######################################## -## -## Delete sosreport temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`sosreport_delete_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sosreport_delete_tmp_files'($*)) dnl - - gen_require(` - type sosreport_tmp_t; - ') - - files_delete_tmp_dir_entry($1) - delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sosreport_delete_tmp_files'($*)) dnl - ') - -## Red Hat utility to change fstab. - -######################################## -## -## Execute updfstab in the updfstab domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`updfstab_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `updfstab_domtrans'($*)) dnl - - gen_require(` - type updfstab_t, updfstab_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, updfstab_exec_t, updfstab_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `updfstab_domtrans'($*)) dnl - ') - -## Utilities for the tboot TXT module. - -######################################## -## -## Execute txt-stat in the txtstat domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tboot_domtrans_txtstat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tboot_domtrans_txtstat'($*)) dnl - - gen_require(` - type txtstat_t, txtstat_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, txtstat_exec_t, txtstat_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tboot_domtrans_txtstat'($*)) dnl - ') - - -######################################## -## -## Execute txt-stat in the txtstat domain, and -## allow the specified role the txtstat domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to be allowed the txtstat domain. -## -## -# - define(`tboot_run_txtstat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tboot_run_txtstat'($*)) dnl - - gen_require(` - attribute_role txtstat_roles; - ') - - tboot_domtrans_txtstat($1) - roleattribute $2 txtstat_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tboot_run_txtstat'($*)) dnl - ') - -## Read files into page cache for improved performance. - -######################################## -## -## Execute a domain transition -## to run readahead. -## -## -## -## Domain allowed to transition. -## -## -# - define(`readahead_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `readahead_domtrans'($*)) dnl - - gen_require(` - type readahead_t, readahead_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, readahead_exec_t, readahead_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `readahead_domtrans'($*)) dnl - ') - -## Network analysis utilities - -######################################## -## -## Execute network utilities in the netutils domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`netutils_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_domtrans'($*)) dnl - - gen_require(` - type netutils_t, netutils_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, netutils_exec_t, netutils_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute network utilities in the netutils domain, and -## allow the specified role the netutils domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`netutils_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_run'($*)) dnl - - gen_require(` - type netutils_t; - ') - - netutils_domtrans($1) - role $2 types netutils_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_run'($*)) dnl - ') - - -######################################## -## -## Execute network utilities in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`netutils_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_exec'($*)) dnl - - gen_require(` - type netutils_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, netutils_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_exec'($*)) dnl - ') - - -######################################## -## -## Send generic signals to network utilities. -## -## -## -## Domain allowed access. -## -## -# - define(`netutils_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_signal'($*)) dnl - - gen_require(` - type netutils_t; - ') - - allow $1 netutils_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_signal'($*)) dnl - ') - - -######################################## -## -## Execute ping in the ping domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`netutils_domtrans_ping',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_domtrans_ping'($*)) dnl - - gen_require(` - type ping_t, ping_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ping_exec_t, ping_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_domtrans_ping'($*)) dnl - ') - - -######################################## -## -## Send a kill (SIGKILL) signal to ping. -## -## -## -## Domain allowed access. -## -## -# - define(`netutils_kill_ping',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_kill_ping'($*)) dnl - - gen_require(` - type ping_t; - ') - - allow $1 ping_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_kill_ping'($*)) dnl - ') - - -######################################## -## -## Send generic signals to ping. -## -## -## -## Domain allowed access. -## -## -# - define(`netutils_signal_ping',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_signal_ping'($*)) dnl - - gen_require(` - type ping_t; - ') - - allow $1 ping_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_signal_ping'($*)) dnl - ') - - -######################################## -## -## Execute ping in the ping domain, and -## allow the specified role the ping domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`netutils_run_ping',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_run_ping'($*)) dnl - - gen_require(` - type ping_t; - ') - - netutils_domtrans_ping($1) - role $2 types ping_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_run_ping'($*)) dnl - ') - - -######################################## -## -## Conditionally execute ping in the ping domain, and -## allow the specified role the ping domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`netutils_run_ping_cond',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_run_ping_cond'($*)) dnl - - gen_require(` - type ping_t; - bool user_ping; - ') - - role $2 types ping_t; - - if ( user_ping ) { - netutils_domtrans_ping($1) - } - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_run_ping_cond'($*)) dnl - ') - - -######################################## -## -## Execute ping in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`netutils_exec_ping',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_exec_ping'($*)) dnl - - gen_require(` - type ping_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ping_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_exec_ping'($*)) dnl - ') - - -######################################## -## -## Execute traceroute in the traceroute domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`netutils_domtrans_traceroute',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_domtrans_traceroute'($*)) dnl - - gen_require(` - type traceroute_t, traceroute_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, traceroute_exec_t, traceroute_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_domtrans_traceroute'($*)) dnl - ') - - -######################################## -## -## Execute traceroute in the traceroute domain, and -## allow the specified role the traceroute domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`netutils_run_traceroute',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_run_traceroute'($*)) dnl - - gen_require(` - type traceroute_t; - ') - - netutils_domtrans_traceroute($1) - role $2 types traceroute_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_run_traceroute'($*)) dnl - ') - - -######################################## -## -## Conditionally execute traceroute in the traceroute domain, and -## allow the specified role the traceroute domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`netutils_run_traceroute_cond',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_run_traceroute_cond'($*)) dnl - - gen_require(` - type traceroute_t; - bool user_ping; - ') - - role $2 types traceroute_t; - - if( user_ping ) { - netutils_domtrans_traceroute($1) - } - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_run_traceroute_cond'($*)) dnl - ') - - -######################################## -## -## Execute traceroute in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`netutils_exec_traceroute',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netutils_exec_traceroute'($*)) dnl - - gen_require(` - type traceroute_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, traceroute_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netutils_exec_traceroute'($*)) dnl - ') - -## -## Determine of the console connected to the controlling terminal. -## - -######################################## -## -## Execute consoletype in the consoletype domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`consoletype_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consoletype_domtrans'($*)) dnl - - gen_require(` - type consoletype_t, consoletype_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, consoletype_exec_t, consoletype_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit consoletype_t $1:socket_class_set { read write }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consoletype_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute consoletype in the consoletype domain, and -## allow the specified role the consoletype domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`consoletype_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consoletype_run'($*)) dnl - - gen_require(` - type consoletype_t; - ') - - consoletype_domtrans($1) - role $2 types consoletype_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consoletype_run'($*)) dnl - ') - - -######################################## -## -## Execute consoletype in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`consoletype_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consoletype_exec'($*)) dnl - - gen_require(` - type consoletype_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, consoletype_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consoletype_exec'($*)) dnl - ') - -## Sectool security audit tool. - -######################################## -## -## Role access for sectoolm. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`sectoolm_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sectoolm_role'($*)) dnl - - gen_require(` - type sectoolm_t; - ') - - allow sectoolm_t $2:unix_dgram_socket sendto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sectoolm_role'($*)) dnl - ') - -## Check file integrity. - -####################################### -## -## The template to define a samhain domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`samhain_service_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_service_template'($*)) dnl - - gen_require(` - attribute samhain_domain; - type samhain_exec_t; - ') - - type $1_t, samhain_domain; - domain_type($1_t) - domain_entry_file($1_t, samhain_exec_t) - - files_read_all_files($1_t) - - mls_file_write_all_levels($1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_service_template'($*)) dnl - ') - - -######################################## -## -## Execute samhain in the samhain domain -## -## -## -## Domain allowed to transition. -## -## -# - define(`samhain_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_domtrans'($*)) dnl - - gen_require(` - type samhain_t, samhain_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samhain_exec_t, samhain_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute samhain in the samhain -## domain with the clearance security -## level and allow the specifiled role -## the samhain domain. -## -## -##

-## Execute samhain in the samhain -## domain with the clearance security -## level and allow the specifiled role -## the samhain domain. -##

-##

-## The range_transition rule used in -## this interface requires that the -## calling domain should have the -## clearance security level otherwise -## the MLS constraint for process -## transition would fail. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed to access. -## -## -## -# - define(`samhain_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_run'($*)) dnl - - gen_require(` - attribute_role samhain_roles; - type samhain_exec_t; - ') - - samhain_domtrans($1) - roleattribute $2 samhain_roles; - - ifdef(`enable_mls', ` - range_transition $1 samhain_exec_t:process mls_systemhigh; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_run'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## samhain configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`samhain_manage_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_manage_config_files'($*)) dnl - - gen_require(` - type samhain_etc_t; - ') - - files_rw_etc_dirs($1) - allow $1 samhain_etc_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_manage_config_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## samhain database files. -## -## -## -## Domain allowed access. -## -## -# - define(`samhain_manage_db_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_manage_db_files'($*)) dnl - - gen_require(` - type samhain_db_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, samhain_db_t, samhain_db_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_manage_db_files'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## samhain init script files. -## -## -## -## Domain allowed access. -## -## -# - define(`samhain_manage_init_script_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_manage_init_script_files'($*)) dnl - - gen_require(` - type samhain_initrc_exec_t; - ') - - files_search_etc($1) - manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_manage_init_script_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## samhain log and log.lock files. -## -## -## -## Domain allowed access. -## -## -# - define(`samhain_manage_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_manage_log_files'($*)) dnl - - gen_require(` - type samhain_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, samhain_log_t, samhain_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_manage_log_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## samhain pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`samhain_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_manage_pid_files'($*)) dnl - - gen_require(` - type samhain_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, samhain_runtime_t, samhain_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_manage_pid_files'($*)) dnl - ') - - -####################################### -## -## All of the rules required to -## administrate the samhain environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`samhain_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samhain_admin'($*)) dnl - - gen_require(` - attribute samhain_domain; - type samhain_db_t, samhain_etc_t; - type samhain_initrc_exec_t, samhain_log_t, samhain_runtime_t; - ') - - allow $1 samhain_domain:process { ptrace signal_perms }; - ps_process_pattern($1, samhain_domain) - - # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first - # init_startstop_service($1, $2, samhain_domain, samhain_initrc_exec_t) - - files_list_var_lib($1) - admin_pattern($1, samhain_db_t) - - files_list_etc($1) - admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t }) - - logging_list_logs($1) - admin_pattern($1, samhain_log_t) - - files_list_pids($1) - admin_pattern($1, samhain_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samhain_admin'($*)) dnl - ') - -## Configuration management system. - -######################################## -## -## Execute puppetca in the puppetca -## domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`puppet_domtrans_puppetca',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_domtrans_puppetca'($*)) dnl - - gen_require(` - type puppetca_t, puppetca_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, puppetca_exec_t, puppetca_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_domtrans_puppetca'($*)) dnl - ') - - -##################################### -## -## Execute puppetca in the puppetca -## domain and allow the specified -## role the puppetca domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`puppet_run_puppetca',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_run_puppetca'($*)) dnl - - gen_require(` - attribute_role puppetca_roles; - ') - - puppet_domtrans_puppetca($1) - roleattribute $2 puppetca_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_run_puppetca'($*)) dnl - ') - - -#################################### -## -## Read puppet configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`puppet_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_read_config'($*)) dnl - - gen_require(` - type puppet_etc_t; - ') - - files_search_etc($1) - allow $1 puppet_etc_t:dir list_dir_perms; - allow $1 puppet_etc_t:file read_file_perms; - allow $1 puppet_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_read_config'($*)) dnl - ') - - -################################################ -## -## Read Puppet lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`puppet_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_read_lib_files'($*)) dnl - - gen_require(` - type puppet_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_read_lib_files'($*)) dnl - ') - - -############################################### -## -## Create, read, write, and delete -## puppet lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`puppet_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_manage_lib_files'($*)) dnl - - gen_require(` - type puppet_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_manage_lib_files'($*)) dnl - ') - - -##################################### -## -## Append puppet log files. -## -## -## -## Domain allowed access. -## -## -# - define(`puppet_append_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_append_log_files'($*)) dnl - - gen_require(` - type puppet_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, puppet_log_t, puppet_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_append_log_files'($*)) dnl - ') - - -##################################### -## -## Create puppet log files. -## -## -## -## Domain allowed access. -## -## -# - define(`puppet_create_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_create_log_files'($*)) dnl - - gen_require(` - type puppet_log_t; - ') - - logging_search_logs($1) - create_files_pattern($1, puppet_log_t, puppet_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_create_log_files'($*)) dnl - ') - - -##################################### -## -## Read puppet log files. -## -## -## -## Domain allowed access. -## -## -# - define(`puppet_read_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_read_log_files'($*)) dnl - - gen_require(` - type puppet_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, puppet_log_t, puppet_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_read_log_files'($*)) dnl - ') - - -################################################ -## -## Read and write to puppet tempoprary files. -## -## -## -## Domain allowed access. -## -## -# - define(`puppet_rw_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_rw_tmp'($*)) dnl - - gen_require(` - type puppet_tmp_t; - ') - - files_search_tmp($1) - allow $1 puppet_tmp_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_rw_tmp'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an puppet environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`puppet_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `puppet_admin'($*)) dnl - - gen_require(` - type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t; - type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t; - type puppet_runtime_t, puppetmaster_tmp_t; - type puppet_t, puppetca_t, puppetmaster_t; - ') - - allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) - - init_startstop_service($1, $2, puppet_t, puppet_initrc_exec_t) - init_startstop_service($1, $2, puppetmaster_t, puppetmaster_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, puppet_etc_t) - - logging_search_logs($1) - admin_pattern($1, puppet_log_t) - - files_search_var_lib($1) - admin_pattern($1, puppet_var_lib_t) - - files_search_pids($1) - admin_pattern($1, puppet_runtime_t) - - files_search_tmp($1) - admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t }) - - puppet_run_puppetca($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `puppet_admin'($*)) dnl - ') - -## Policy for managing user accounts. - -######################################## -## -## Execute chfn in the chfn domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`usermanage_domtrans_chfn',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_chfn'($*)) dnl - - gen_require(` - type chfn_t, chfn_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chfn_exec_t, chfn_t) - - ifdef(`hide_broken_symptoms',` - dontaudit chfn_t $1:socket_class_set { read write }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_domtrans_chfn'($*)) dnl - ') - - -######################################## -## -## Execute chfn in the chfn domain, and -## allow the specified role the chfn domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`usermanage_run_chfn',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_run_chfn'($*)) dnl - - gen_require(` - attribute_role chfn_roles; - ') - - usermanage_domtrans_chfn($1) - roleattribute $2 chfn_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_run_chfn'($*)) dnl - ') - - -######################################## -## -## Execute groupadd in the groupadd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`usermanage_domtrans_groupadd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_groupadd'($*)) dnl - - gen_require(` - type groupadd_t, groupadd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, groupadd_exec_t, groupadd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit groupadd_t $1:socket_class_set { read write }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_domtrans_groupadd'($*)) dnl - ') - - -######################################## -## -## Execute groupadd in the groupadd domain, and -## allow the specified role the groupadd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`usermanage_run_groupadd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_run_groupadd'($*)) dnl - - gen_require(` - attribute_role groupadd_roles; - ') - - usermanage_domtrans_groupadd($1) - roleattribute $2 groupadd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_run_groupadd'($*)) dnl - ') - - -######################################## -## -## Execute passwd in the passwd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`usermanage_domtrans_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_passwd'($*)) dnl - - gen_require(` - type passwd_t, passwd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, passwd_exec_t, passwd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit passwd_t $1:socket_class_set { read write }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_domtrans_passwd'($*)) dnl - ') - - -######################################## -## -## Send sigkills to passwd. -## -## -## -## Domain allowed access. -## -## -# - define(`usermanage_kill_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_kill_passwd'($*)) dnl - - gen_require(` - type passwd_t; - ') - - allow $1 passwd_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_kill_passwd'($*)) dnl - ') - - -######################################## -## -## Check if the passwd binary is executable. -## -## -## -## Domain allowed access. -## -## -# - define(`usermanage_check_exec_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_check_exec_passwd'($*)) dnl - - gen_require(` - type passwd_exec_t; - ') - - allow $1 passwd_exec_t:file { execute getattr_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_check_exec_passwd'($*)) dnl - ') - - -######################################## -## -## Execute passwd in the passwd domain, and -## allow the specified role the passwd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`usermanage_run_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_run_passwd'($*)) dnl - - gen_require(` - attribute_role passwd_roles; - ') - - usermanage_domtrans_passwd($1) - roleattribute $2 passwd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_run_passwd'($*)) dnl - ') - - -######################################## -## -## Execute password admin functions in -## the admin passwd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`usermanage_domtrans_admin_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_admin_passwd'($*)) dnl - - gen_require(` - type sysadm_passwd_t, admin_passwd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_domtrans_admin_passwd'($*)) dnl - ') - - -######################################## -## -## Execute passwd admin functions in the admin -## passwd domain, and allow the specified role -## the admin passwd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`usermanage_run_admin_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_run_admin_passwd'($*)) dnl - - gen_require(` - attribute_role sysadm_passwd_roles; - ') - - usermanage_domtrans_admin_passwd($1) - roleattribute $2 sysadm_passwd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_run_admin_passwd'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use useradd fds. -## -## -## -## Domain to not audit. -## -## -# - define(`usermanage_dontaudit_use_useradd_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_dontaudit_use_useradd_fds'($*)) dnl - - gen_require(` - type useradd_t; - ') - - dontaudit $1 useradd_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_dontaudit_use_useradd_fds'($*)) dnl - ') - - -######################################## -## -## Execute useradd in the useradd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`usermanage_domtrans_useradd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_useradd'($*)) dnl - - gen_require(` - type useradd_t, useradd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, useradd_exec_t, useradd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit useradd_t $1:socket_class_set { read write }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_domtrans_useradd'($*)) dnl - ') - - -######################################## -## -## Check if the useradd binaries are executable. -## -## -## -## Domain allowed access. -## -## -# - define(`usermanage_check_exec_useradd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_check_exec_useradd'($*)) dnl - - gen_require(` - type useradd_exec_t; - ') - - allow $1 useradd_exec_t:file { execute getattr_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_check_exec_useradd'($*)) dnl - ') - - -######################################## -## -## Execute useradd in the useradd domain, and -## allow the specified role the useradd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`usermanage_run_useradd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_run_useradd'($*)) dnl - - gen_require(` - attribute_role useradd_roles; - ') - - usermanage_domtrans_useradd($1) - roleattribute $2 useradd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_run_useradd'($*)) dnl - ') - - -######################################## -## -## Read the crack database. -## -## -## -## Domain allowed access. -## -## -# - define(`usermanage_read_crack_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usermanage_read_crack_db'($*)) dnl - - gen_require(` - type crack_db_t; - ') - - files_search_var($1) - read_files_pattern($1, crack_db_t, crack_db_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usermanage_read_crack_db'($*)) dnl - ') - -## Execute a command with a substitute user - -####################################### -## -## The role template for the sudo module. -## -## -##

-## This template creates a derived domain which is allowed -## to change the linux user id, to run commands as a different -## user. -##

-## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The user role. -## -## -## -## -## The user domain associated with the role. -## -## -# - define(`sudo_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sudo_role_template'($*)) dnl - - - gen_require(` - type sudo_exec_t; - attribute sudodomain; - ') - - ############################## - # - # Declarations - # - - type $1_sudo_t, sudodomain; - userdom_user_application_domain($1_sudo_t, sudo_exec_t) - domain_interactive_fd($1_sudo_t) - domain_role_change_exemption($1_sudo_t) - role $2 types $1_sudo_t; - - ############################## - # - # Local Policy - # - - # Use capabilities. - allow $1_sudo_t self:capability { chown dac_override fowner kill setgid setuid sys_nice sys_resource }; - allow $1_sudo_t self:process { signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr getrlimit rlimitinh siginh transition setsockcreate dyntransition noatsecure setkeycreate }; - allow $1_sudo_t self:process { setexec setrlimit }; - allow $1_sudo_t self:fd use; - allow $1_sudo_t self:fifo_file rw_fifo_file_perms; - allow $1_sudo_t self:shm create_shm_perms; - allow $1_sudo_t self:sem create_sem_perms; - allow $1_sudo_t self:msgq create_msgq_perms; - allow $1_sudo_t self:msg { send receive }; - allow $1_sudo_t self:unix_dgram_socket create_socket_perms; - allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; - allow $1_sudo_t self:unix_dgram_socket sendto; - allow $1_sudo_t self:unix_stream_socket connectto; - allow $1_sudo_t self:key manage_key_perms; - - allow $1_sudo_t $3:key search; - - # Transmit SIGWINCH to children - allow $1_sudo_t $3:process signal; - - # Enter this derived domain from the user domain - domtrans_pattern($3, sudo_exec_t, $1_sudo_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t, $3) - corecmd_bin_domtrans($1_sudo_t, $3) - allow $3 $1_sudo_t:fd use; - allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; - allow $3 $1_sudo_t:process signal_perms; - - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) - kernel_link_key($1_sudo_t) - - corecmd_exec_all_executables($1_sudo_t) - - dev_getattr_fs($1_sudo_t) - dev_read_urand($1_sudo_t) - dev_rw_generic_usb_dev($1_sudo_t) - dev_read_sysfs($1_sudo_t) - - domain_use_interactive_fds($1_sudo_t) - domain_sigchld_interactive_fds($1_sudo_t) - domain_getattr_all_entry_files($1_sudo_t) - - files_read_etc_files($1_sudo_t) - files_read_var_files($1_sudo_t) - files_read_usr_symlinks($1_sudo_t) - files_getattr_usr_files($1_sudo_t) - # for some PAM modules and for cwd - files_dontaudit_search_home($1_sudo_t) - files_list_tmp($1_sudo_t) - - fs_search_auto_mountpoints($1_sudo_t) - fs_getattr_xattr_fs($1_sudo_t) - - selinux_validate_context($1_sudo_t) - selinux_compute_relabel_context($1_sudo_t) - - term_getattr_pty_fs($1_sudo_t) - term_dontaudit_getattr_unallocated_ttys($1_sudo_t) - term_relabel_all_ttys($1_sudo_t) - term_relabel_all_ptys($1_sudo_t) - - auth_run_chk_passwd($1_sudo_t, $2) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) - auth_use_pam($1_sudo_t) - auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") - - init_rw_utmp($1_sudo_t) - - logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - - miscfiles_read_localization($1_sudo_t) - - seutil_read_default_contexts($1_sudo_t) - seutil_libselinux_linked($1_sudo_t) - - userdom_spec_domtrans_all_users($1_sudo_t) - userdom_create_all_users_keys($1_sudo_t) - userdom_create_user_pty($1_sudo_t) - userdom_manage_user_home_content_files($1_sudo_t) - userdom_manage_user_home_content_symlinks($1_sudo_t) - userdom_manage_user_tmp_files($1_sudo_t) - userdom_manage_user_tmp_symlinks($1_sudo_t) - userdom_setattr_user_ptys($1_sudo_t) - userdom_use_user_terminals($1_sudo_t) - # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content($1_sudo_t) - userdom_dontaudit_search_user_home_dirs($1_sudo_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit $1_sudo_t $3:socket_class_set { read write }; - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_sudo_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_sudo_t) - ') - - optional_policy(` - dbus_system_bus_client($1_sudo_t) - - ifdef(`init_systemd',` - init_dbus_chat($1_sudo_t) - ') - ') - - optional_policy(` - fprintd_dbus_chat($1_sudo_t) - ') - - ifdef(`distro_gentoo',` - # Fix bug 549640 - Add dontaudit getattr on chr and blk devices as is done with regular user domains too - dev_dontaudit_getattr_all_blk_files($1_sudo_t) - dev_dontaudit_getattr_all_chr_files($1_sudo_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sudo_role_template'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to the sudo domain. -## -## -## -## Domain allowed access. -## -## -# - define(`sudo_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sudo_sigchld'($*)) dnl - - gen_require(` - attribute sudodomain; - ') - - allow $1 sudodomain:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sudo_sigchld'($*)) dnl - ') - -## fake-hwclock - Control fake hardware clock. - -######################################## -## -## Execute a domain transition to run fake-hwclock. -## -## -## -## Domain allowed to transition. -## -## -# - define(`fakehwclock_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fakehwclock_domtrans'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type fakehwclock_t, fakehwclock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fakehwclock_exec_t, fakehwclock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fakehwclock_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute fake-hwclock in the fake-hwclock domain, -## and allow the specified role -## the fake-hwclock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`fakehwclock_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fakehwclock_run'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - attribute_role fakehwclock_roles; - ') - - fakehwclock_domtrans($1) - roleattribute $2 fakehwclock_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fakehwclock_run'($*)) dnl - ') - - -######################################## -## -## All the rules required to -## administrate an fake-hwclock environment. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`fakehwclock_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fakehwclock_admin'($*)) dnl - - gen_require(` - type fakehwclock_t, fakehwclock_backup_t, fakehwclock_initrc_exec_t; - type fakehwclock_unit_t; - ') - - admin_process_pattern($1, fakehwclock_t) - - init_startstop_service($1, $2, fakehwclock_t, fakehwclock_initrc_exec_t, fakehwclock_unit_t) - - files_search_etc($1) - admin_pattern($1, fakehwclock_backup_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fakehwclock_admin'($*)) dnl - ') - -## Manage temporary directory sizes and file ages. - -######################################## -## -## Execute tmpreaper in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`tmpreaper_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpreaper_exec'($*)) dnl - - gen_require(` - type tmpreaper_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, tmpreaper_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpreaper_exec'($*)) dnl - ') - -## Anaconda installer. -## IEEE 802.11 wireless LAN sniffer. - -######################################## -## -## Role access for kismet. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`kismet_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_role'($*)) dnl - - gen_require(` - type kismet_home_t, kismet_tmp_t, kismet_tmpfs_t; - type kismet_t; - ') - - kismet_run($1, $2) - - allow $2 kismet_t:process { ptrace signal_perms }; - ps_process_pattern($2, kismet_t) - - allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 kismet_home_t:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, kismet_home_t, dir, ".kismet") - - allow $2 kismet_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 kismet_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 kismet_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $2 kismet_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 kismet_tmpfs_t:file { manage_file_perms relabel_file_perms }; - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_role'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run kismet. -## -## -## -## Domain allowed to transition. -## -## -# - define(`kismet_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_domtrans'($*)) dnl - - gen_require(` - type kismet_t, kismet_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kismet_exec_t, kismet_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute kismet in the kismet domain, and -## allow the specified role the kismet domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`kismet_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_run'($*)) dnl - - gen_require(` - attribute_role kismet_roles; - ') - - kismet_domtrans($1) - roleattribute $2 kismet_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_run'($*)) dnl - ') - - -######################################## -## -## Read kismet pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`kismet_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_read_pid_files'($*)) dnl - - gen_require(` - type kismet_runtime_t; - ') - - files_search_pids($1) - allow $1 kismet_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kismet pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`kismet_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_manage_pid_files'($*)) dnl - - gen_require(` - type kismet_runtime_t; - ') - - files_search_pids($1) - allow $1 kismet_runtime_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Search kismet lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kismet_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_search_lib'($*)) dnl - - gen_require(` - type kismet_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 kismet_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_search_lib'($*)) dnl - ') - - -######################################## -## -## Read kismet lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`kismet_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_read_lib_files'($*)) dnl - - gen_require(` - type kismet_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 kismet_var_lib_t:dir list_dir_perms; - allow $1 kismet_var_lib_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kismet lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`kismet_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_manage_lib_files'($*)) dnl - - gen_require(` - type kismet_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kismet lib content. -## -## -## -## Domain allowed access. -## -## -# - define(`kismet_manage_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_manage_lib'($*)) dnl - - gen_require(` - type kismet_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_manage_lib'($*)) dnl - ') - - -######################################## -## -## Read kismet log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kismet_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_read_log'($*)) dnl - - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, kismet_log_t, kismet_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_read_log'($*)) dnl - ') - - -######################################## -## -## Append kismet log files. -## -## -## -## Domain allowed access. -## -## -# - define(`kismet_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_append_log'($*)) dnl - - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, kismet_log_t, kismet_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kismet log content. -## -## -## -## Domain allowed access. -## -## -# - define(`kismet_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_manage_log'($*)) dnl - - gen_require(` - type kismet_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, kismet_log_t, kismet_log_t) - manage_files_pattern($1, kismet_log_t, kismet_log_t) - manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_manage_log'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an kismet environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`kismet_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kismet_admin'($*)) dnl - - gen_require(` - type kismet_t, kismet_var_lib_t, kismet_runtime_t; - type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; - ') - - init_startstop_service($1, $2, kismet_t, kismet_initrc_exec_t) - - ps_process_pattern($1, kismet_t) - allow $1 kismet_t:process { ptrace signal_perms }; - - files_search_var_lib($1) - admin_pattern($1, kismet_var_lib_t) - - files_search_pids($1) - admin_pattern($1, kismet_runtime_t) - - logging_search_logs($1) - admin_pattern($1, kismet_log_t) - - files_search_tmp($1) - admin_pattern($1, kismet_tmp_t) - - kismet_run($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kismet_admin'($*)) dnl - ') - -## Decode DMI data for x86/ia64 bioses. - -######################################## -## -## Execute dmidecode in the dmidecode domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dmidecode_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dmidecode_domtrans'($*)) dnl - - gen_require(` - type dmidecode_t, dmidecode_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dmidecode_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute dmidecode in the dmidecode -## domain, and allow the specified -## role the dmidecode domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dmidecode_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dmidecode_run'($*)) dnl - - gen_require(` - attribute_role dmidecode_roles; - ') - - dmidecode_domtrans($1) - roleattribute $2 dmidecode_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dmidecode_run'($*)) dnl - ') - -## Policy for the kernel modules, kernel image, and bootloader. - -######################################## -## -## Execute bootloader in the bootloader domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`bootloader_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bootloader_domtrans'($*)) dnl - - gen_require(` - type bootloader_t, bootloader_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, bootloader_exec_t, bootloader_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bootloader_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute bootloader interactively and do -## a domain transition to the bootloader domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bootloader_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bootloader_run'($*)) dnl - - gen_require(` - attribute_role bootloader_roles; - ') - - bootloader_domtrans($1) - roleattribute $2 bootloader_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bootloader_run'($*)) dnl - ') - - -######################################## -## -## Execute bootloader in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`bootloader_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bootloader_exec'($*)) dnl - - gen_require(` - type bootloader_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, bootloader_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bootloader_exec'($*)) dnl - ') - - -######################################## -## -## Read the bootloader configuration file. -## -## -## -## Domain allowed access. -## -## -# - define(`bootloader_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bootloader_read_config'($*)) dnl - - gen_require(` - type bootloader_etc_t; - ') - - allow $1 bootloader_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bootloader_read_config'($*)) dnl - ') - - -######################################## -## -## Read and write the bootloader -## configuration file. -## -## -## -## Domain allowed access. -## -## -## -# - define(`bootloader_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bootloader_rw_config'($*)) dnl - - gen_require(` - type bootloader_etc_t; - ') - - allow $1 bootloader_etc_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bootloader_rw_config'($*)) dnl - ') - - -######################################## -## -## Read and write the bootloader -## temporary data in /tmp. -## -## -## -## Domain allowed access. -## -## -# - define(`bootloader_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bootloader_rw_tmp_files'($*)) dnl - - gen_require(` - type bootloader_tmp_t; - ') - - files_search_tmp($1) - allow $1 bootloader_tmp_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bootloader_rw_tmp_files'($*)) dnl - ') - - -######################################## -## -## Create, read and write the bootloader -## runtime data. -## -## -## -## Domain allowed access. -## -## -# - define(`bootloader_create_runtime_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bootloader_create_runtime_file'($*)) dnl - - gen_require(` - type boot_runtime_t; - ') - - allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; - files_boot_filetrans($1, boot_runtime_t, file) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bootloader_create_runtime_file'($*)) dnl - ') - -## Aide filesystem integrity checker. - -######################################## -## -## Execute aide in the aide domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`aide_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aide_domtrans'($*)) dnl - - gen_require(` - type aide_t, aide_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, aide_exec_t, aide_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aide_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute aide programs in the AIDE -## domain and allow the specified role -## the AIDE domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`aide_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aide_run'($*)) dnl - - gen_require(` - attribute_role aide_roles; - ') - - aide_domtrans($1) - roleattribute $2 aide_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aide_run'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an aide environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`aide_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aide_admin'($*)) dnl - - gen_require(` - type aide_t, aide_db_t, aide_log_t; - ') - - allow $1 aide_t:process { ptrace signal_perms }; - ps_process_pattern($1, aide_t) - - aide_run($1, $2) - - files_list_etc($1) - admin_pattern($1, aide_db_t) - - logging_list_logs($1) - admin_pattern($1, aide_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aide_admin'($*)) dnl - ') - -## Package Management System. - -######################################## -## -## Execute emerge in the portage domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`portage_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_domtrans'($*)) dnl - - gen_require(` - type portage_t, portage_exec_t; - type portage_tmp_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portage_exec_t, portage_t) - - can_exec($1, portage_tmp_t) # Portage does exectest - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute emerge in the portage domain, -## and allow the specified role the -## portage domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`portage_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_run'($*)) dnl - - gen_require(` - attribute_role portage_roles; - ') - - portage_domtrans($1) - roleattribute $2 portage_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_run'($*)) dnl - ') - - -######################################## -## -## Template for portage sandbox. -## -## -##

-## Template for portage sandbox. Portage -## does all compiling in the sandbox. -##

-## -## -## -## Domain Allowed Access -## -## -# - define(`portage_compile_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_compile_domain'($*)) dnl - - gen_require(` - class dbus send_msg; - type portage_devpts_t, portage_log_t, portage_sandbox_t, portage_srcrepo_t; - type portage_tmp_t, portage_tmpfs_t; - ') - - allow $1 self:capability { chown dac_override dac_read_search fowner fsetid mknod net_raw setgid setuid }; - dontaudit $1 self:capability sys_chroot; - allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; - allow $1 self:fd use; - allow $1 self:fifo_file rw_fifo_file_perms; - allow $1 self:shm create_shm_perms; - allow $1 self:sem create_sem_perms; - allow $1 self:msgq create_msgq_perms; - allow $1 self:msg { send receive }; - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 self:unix_dgram_socket sendto; - allow $1 self:unix_stream_socket connectto; - # really shouldnt need this - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - # misc networking stuff (esp needed for compiling perl): - allow $1 self:rawip_socket { create ioctl }; - # needed for merging dbus: - allow $1 self:netlink_selinux_socket { bind create read }; - allow $1 self:dbus send_msg; - - allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - term_create_pty($1, portage_devpts_t) - - # write compile logs - allow $1 portage_log_t:dir setattr_dir_perms; - allow $1 portage_log_t:file { write_file_perms setattr_file_perms }; - - # Support live ebuilds (-9999) - manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - allow $1 portage_srcrepo_t:file map; - - # run scripts out of the build directory - can_exec(portage_sandbox_t, portage_tmp_t) - - manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t) - manage_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t) - manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t) - files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) - # SELinux-enabled programs running in the sandbox - allow $1 portage_tmp_t:file { relabel_file_perms map }; - allow $1 portage_tmp_t:dir relabel_dir_perms; - - manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) - allow $1 portage_tmpfs_t:file map; - fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - kernel_read_system_state($1) - kernel_read_network_state($1) - kernel_read_software_raid_state($1) - kernel_getattr_core_if($1) - kernel_getattr_message_if($1) - kernel_read_kernel_sysctls($1) - - corecmd_exec_all_executables($1) - - # really shouldnt need this but some packages test - # network access, such as during configure - # also distcc--need to reinvestigate confining distcc client - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_raw_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_raw_sendrecv_generic_node($1) - corenet_tcp_connect_all_reserved_ports($1) - corenet_tcp_connect_distccd_port($1) - corenet_tcp_connect_git_port($1) - - dev_read_sysfs($1) - dev_read_rand($1) - dev_read_urand($1) - - domain_use_interactive_fds($1) - domain_dontaudit_read_all_domains_state($1) - # SELinux-aware installs doing relabels in the sandbox - domain_obj_id_change_exemption($1) - - files_exec_etc_files($1) - files_exec_usr_src_files($1) - files_map_usr_files($1) - - # Came up with bug #496328 - fs_getattr_tmpfs($1) - fs_getattr_xattr_fs($1) - fs_list_noxattr_fs($1) - fs_read_noxattr_fs_files($1) - fs_read_noxattr_fs_symlinks($1) - fs_search_auto_mountpoints($1) - - selinux_validate_context($1) - # needed for merging dbus: - selinux_compute_access_vector($1) - - files_list_non_auth_dirs($1) - files_read_non_auth_files($1) - files_read_non_auth_symlinks($1) - - libs_exec_lib_files($1) - # some config scripts use ldd - libs_exec_ld_so($1) - libs_exec_ldconfig($1) - - logging_send_syslog_msg($1) - - miscfiles_read_localization($1) - - userdom_use_user_terminals($1) - - # SELinux-enabled programs running in the sandbox - seutil_libselinux_linked($1) - - # required by install - seutil_read_file_contexts($1) - - tunable_policy(`portage_use_nfs',` - fs_getattr_nfs($1) - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - ifdef(`TODO',` - # some gui ebuilds want to interact with X server, like xawtv - optional_policy(` - allow $1 xdm_xserver_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms }; - allow $1 xdm_xserver_tmp_t:sock_file { create_file_perms delete_file_perms write_file_perms }; - ') - ') dnl end TODO - - ifdef(`distro_gentoo',` - # Fix bug 496328 - fs_getattr_tmpfs($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_compile_domain'($*)) dnl - ') - - -######################################## -## -## Execute tree management functions -## (fetching, layman, ...) in the -## portage fetch domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`portage_domtrans_fetch',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_domtrans_fetch'($*)) dnl - - gen_require(` - type portage_fetch_t, portage_fetch_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_domtrans_fetch'($*)) dnl - ') - - -######################################## -## -## Execute tree management functions -## (fetching, layman, ...) in the -## portage fetch domain, and allow -## the specified role the portage -## fetch domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`portage_run_fetch',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_run_fetch'($*)) dnl - - gen_require(` - attribute_role portage_fetch_roles; - ') - - portage_domtrans_fetch($1) - roleattribute $2 portage_fetch_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_run_fetch'($*)) dnl - ') - - -######################################## -## -## Execute gcc-config in the gcc config domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`portage_domtrans_gcc_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_domtrans_gcc_config'($*)) dnl - - gen_require(` - type gcc_config_t, gcc_config_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gcc_config_exec_t, gcc_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_domtrans_gcc_config'($*)) dnl - ') - - -######################################## -## -## Execute gcc-config in the gcc config -## domain, and allow the specified role -## the gcc_config domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`portage_run_gcc_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_run_gcc_config'($*)) dnl - - gen_require(` - attribute_role gcc_config_roles; - ') - - portage_domtrans_gcc_config($1) - roleattribute $2 gcc_config_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_run_gcc_config'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use -## portage file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`portage_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_dontaudit_use_fds'($*)) dnl - - gen_require(` - type portage_t; - ') - - dontaudit $1 portage_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the -## portage temporary directories. -## -## -## -## Domain to not audit. -## -## -# - define(`portage_dontaudit_search_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_dontaudit_search_tmp'($*)) dnl - - gen_require(` - type portage_tmp_t; - ') - - dontaudit $1 portage_tmp_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_dontaudit_search_tmp'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## the portage temporary files. -## -## -## -## Domain to not audit. -## -## -# - define(`portage_dontaudit_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_dontaudit_rw_tmp_files'($*)) dnl - - gen_require(` - type portage_tmp_t; - ') - - dontaudit $1 portage_tmp_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_dontaudit_rw_tmp_files'($*)) dnl - ') - - -######################################## -## -## Allow the domain to run within an eselect module script. -## -## -## -## Domain to allow within an eselect module -## -## -# Specific to Gentoo, -# eselect modules allow users to switch between different flavors or versions -# of underlying components. In return, eselect makes a wrapper binary which -# makes the proper selections. If this binary is different from bin_t, it might -# not hold the necessary privileges for the wrapper to function. However, just -# marking the target binaries doesn't always work, since for python scripts the -# wrapper doesn't execute it, but treats the target as a library. -# - define(`portage_eselect_module',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_eselect_module'($*)) dnl - - gen_require(` - attribute portage_eselect_domain; - ') - - typeattribute $1 portage_eselect_domain; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_eselect_module'($*)) dnl - ') - - -######################################## -## -## Read all portage files -## -## -## -## Role allowed access -## -## -## -## -## Domain allowed access -## -## -# - define(`portage_ro_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_ro_role'($*)) dnl - - portage_read_cache($2) - portage_read_config($2) - portage_read_db($2) - portage_read_ebuild($2) - portage_read_log($2) - portage_read_srcrepo($2) - portage_dontaudit_write_cache($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_ro_role'($*)) dnl - ') - - -######################################## -## -## Read portage db files -## -## -## -## Domain allowed access -## -## -# - define(`portage_read_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_read_db'($*)) dnl - - gen_require(` - type portage_db_t; - ') - - files_search_var($1) - list_dirs_pattern($1, portage_db_t, portage_db_t) - read_files_pattern($1, portage_db_t, portage_db_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_read_db'($*)) dnl - ') - - -######################################## -## -## Read portage cache files -## -## -## -## Domain allowed access -## -## -# - define(`portage_read_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_read_cache'($*)) dnl - - gen_require(` - type portage_cache_t; - ') - - files_search_var($1) - list_dirs_pattern($1, portage_cache_t, portage_cache_t) - read_files_pattern($1, portage_cache_t, portage_cache_t) - read_lnk_files_pattern($1, portage_cache_t, portage_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_read_cache'($*)) dnl - ') - - -######################################## -## -## Read portage configuration files -## -## -## -## Domain allowed access -## -## -# - define(`portage_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_read_config'($*)) dnl - - gen_require(` - type portage_conf_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, portage_conf_t, portage_conf_t) - read_files_pattern($1, portage_conf_t, portage_conf_t) - allow $1 portage_conf_t:file map; - read_lnk_files_pattern($1, portage_conf_t, portage_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_read_config'($*)) dnl - ') - - -######################################## -## -## Read portage ebuild files -## -## -## -## Domain allowed access -## -## -# - define(`portage_read_ebuild',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_read_ebuild'($*)) dnl - - gen_require(` - type portage_ebuild_t; - ') - - files_search_usr($1) - list_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t) - read_files_pattern($1, portage_ebuild_t, portage_ebuild_t) - allow $1 portage_ebuild_t:file map; - read_lnk_files_pattern($1, portage_ebuild_t, portage_ebuild_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_read_ebuild'($*)) dnl - ') - - -######################################## -## -## Read portage log files -## -## -## -## Domain allowed access -## -## -# - define(`portage_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_read_log'($*)) dnl - - gen_require(` - type portage_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, portage_log_t, portage_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_read_log'($*)) dnl - ') - - -######################################## -## -## Read portage src repository files -## -## -## -## Domain allowed access -## -## -# - define(`portage_read_srcrepo',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_read_srcrepo'($*)) dnl - - gen_require(` - type portage_ebuild_t, portage_srcrepo_t; - ') - - files_search_usr($1) - list_dirs_pattern($1, portage_ebuild_t, portage_srcrepo_t) - read_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - allow $1 portage_srcrepo_t:file map; - read_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_read_srcrepo'($*)) dnl - ') - - -######################################## -## -## Do not audit writing portage cache files -## -## -## -## Domain allowed access -## -## -# - define(`portage_dontaudit_write_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portage_dontaudit_write_cache'($*)) dnl - - gen_require(` - type portage_cache_t; - ') - - dontaudit $1 portage_cache_t:dir { setattr write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portage_dontaudit_write_cache'($*)) dnl - ') - - -## Dump topology and locality information from hardware tables. - -######################################## -## -## Execute hwloc dhwd in the hwloc dhwd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hwloc_domtrans_dhwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hwloc_domtrans_dhwd'($*)) dnl - - gen_require(` - type hwloc_dhwd_t, hwloc_dhwd_exec_t; - ') - - domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hwloc_domtrans_dhwd'($*)) dnl - ') - - -######################################## -## -## Execute hwloc dhwd in the hwloc dhwd domain, and -## allow the specified role the hwloc dhwd domain, -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`hwloc_run_dhwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hwloc_run_dhwd'($*)) dnl - - gen_require(` - attribute_role hwloc_dhwd_roles; - ') - - hwloc_domtrans_dhwd($1) - roleattribute $2 hwloc_dhwd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hwloc_run_dhwd'($*)) dnl - ') - - -######################################## -## -## Execute hwloc dhwd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`hwloc_exec_dhwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hwloc_exec_dhwd'($*)) dnl - - gen_require(` - type hwloc_dhwd_exec_t; - ') - - can_exec($1, hwloc_dhwd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hwloc_exec_dhwd'($*)) dnl - ') - - -######################################## -## -## Read hwloc runtime files. -## -## -## -## Domain allowed access. -## -## -# - define(`hwloc_read_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hwloc_read_runtime_files'($*)) dnl - - gen_require(` - type hwloc_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, hwloc_runtime_t, hwloc_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hwloc_read_runtime_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an hwloc environment. -## -## -## -## Domain allowed access. -## -## -## -# - define(`hwloc_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hwloc_admin'($*)) dnl - - gen_require(` - type hwloc_dhwd_t, hwloc_runtime_t; - ') - - allow $1 hwloc_dhwd_t:process { ptrace signal_perms }; - ps_process_pattern($1, hwloc_dhwd_t) - - admin_pattern($1, hwloc_runtime_t) - files_pid_filetrans($1, hwloc_runtime_t, dir, "hwloc") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hwloc_admin'($*)) dnl - ') - -## System backup scripts. - -######################################## -## -## Execute backup in the backup domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`backup_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `backup_domtrans'($*)) dnl - - gen_require(` - type backup_t, backup_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, backup_exec_t, backup_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `backup_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute backup in the backup -## domain, and allow the specified -## role the backup domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`backup_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `backup_run'($*)) dnl - - gen_require(` - attribute_role backup_roles; - ') - - backup_domtrans($1) - roleattribute $2 backup_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `backup_run'($*)) dnl - ') - - -######################################## -## -## Create, read, and write backup -## store files. -## -## -## -## Domain allowed access. -## -## -# - define(`backup_manage_store_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `backup_manage_store_files'($*)) dnl - - gen_require(` - type backup_store_t; - ') - - files_search_var($1) - manage_files_pattern($1, backup_store_t, backup_store_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `backup_manage_store_files'($*)) dnl - ') - -## System log analyzer and reporter. - -######################################## -## -## Read logwatch temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`logwatch_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logwatch_read_tmp_files'($*)) dnl - - gen_require(` - type logwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 logwatch_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logwatch_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Search logwatch cache directories. -## -## -## -## Domain allowed access. -## -## -# - define(`logwatch_search_cache_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logwatch_search_cache_dir'($*)) dnl - - gen_require(` - type logwatch_cache_t; - ') - - files_search_var($1) - allow $1 logwatch_cache_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logwatch_search_cache_dir'($*)) dnl - ') - -## File integrity checker. - -######################################## -## -## Execute tripwire in the tripwire domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tripwire_domtrans_tripwire',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_tripwire'($*)) dnl - - gen_require(` - type tripwire_t, tripwire_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tripwire_exec_t, tripwire_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tripwire_domtrans_tripwire'($*)) dnl - ') - - -######################################## -## -## Execute tripwire in the tripwire -## domain, and allow the specified -## role the tripwire domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tripwire_run_tripwire',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tripwire_run_tripwire'($*)) dnl - - gen_require(` - attribute_role tripwire_roles; - ') - - tripwire_domtrans_tripwire($1) - roleattribute $2 tripwire_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tripwire_run_tripwire'($*)) dnl - ') - - -######################################## -## -## Execute twadmin in the twadmin domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tripwire_domtrans_twadmin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_twadmin'($*)) dnl - - gen_require(` - type twadmin_t, twadmin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, twadmin_exec_t, twadmin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tripwire_domtrans_twadmin'($*)) dnl - ') - - -######################################## -## -## Execute twadmin in the twadmin -## domain, and allow the specified -## role the twadmin domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tripwire_run_twadmin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tripwire_run_twadmin'($*)) dnl - - gen_require(` - attribute_role twadmin_roles; - ') - - tripwire_domtrans_twadmin($1) - roleattribute $2 twadmin_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tripwire_run_twadmin'($*)) dnl - ') - - -######################################## -## -## Execute twprint in the twprint domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tripwire_domtrans_twprint',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_twprint'($*)) dnl - - gen_require(` - type twprint_t, twprint_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, twprint_exec_t, twprint_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tripwire_domtrans_twprint'($*)) dnl - ') - - -######################################## -## -## Execute twprint in the twprint -## domain, and allow the specified -## role the twprint domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tripwire_run_twprint',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tripwire_run_twprint'($*)) dnl - - gen_require(` - attribute_role twprint_roles; - ') - - tripwire_domtrans_twprint($1) - roleattribute $2 twprint_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tripwire_run_twprint'($*)) dnl - ') - - -######################################## -## -## Execute siggen in the siggen domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tripwire_domtrans_siggen',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_siggen'($*)) dnl - - gen_require(` - type siggen_t, siggen_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, siggen_exec_t, siggen_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tripwire_domtrans_siggen'($*)) dnl - ') - - -######################################## -## -## Execute siggen in the siggen domain, -## and allow the specified role -## the siggen domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tripwire_run_siggen',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tripwire_run_siggen'($*)) dnl - - gen_require(` - attribute_role siggen_roles; - ') - - tripwire_domtrans_siggen($1) - roleattribute $2 siggen_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tripwire_run_siggen'($*)) dnl - ') - -## Berkeley process accounting. - -######################################## -## -## Transition to the accounting -## management domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`acct_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acct_domtrans'($*)) dnl - - gen_require(` - type acct_t, acct_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, acct_exec_t, acct_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acct_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute accounting management tools -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`acct_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acct_exec'($*)) dnl - - gen_require(` - type acct_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, acct_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acct_exec'($*)) dnl - ') - - -######################################## -## -## Execute accounting management data -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`acct_exec_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acct_exec_data'($*)) dnl - - gen_require(` - type acct_data_t; - ') - - files_search_var($1) - can_exec($1, acct_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acct_exec_data'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## process accounting data. -## -## -## -## Domain allowed access. -## -## -# - define(`acct_manage_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acct_manage_data'($*)) dnl - - gen_require(` - type acct_data_t; - ') - - files_search_var($1) - manage_files_pattern($1, acct_data_t, acct_data_t) - manage_lnk_files_pattern($1, acct_data_t, acct_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acct_manage_data'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an acct environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`acct_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acct_admin'($*)) dnl - - gen_require(` - type acct_t, acct_initrc_exec_t, acct_data_t; - ') - - allow $1 acct_t:process { ptrace signal_perms }; - ps_process_pattern($1, acct_t) - - init_startstop_service($1, $2, acct_t, acct_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, acct_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acct_admin'($*)) dnl - ') - -## Cross platform network backup. - -######################################## -## -## Execute bacula admin bacula -## admin domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`bacula_domtrans_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bacula_domtrans_admin'($*)) dnl - - gen_require(` - type bacula_admin_t, bacula_admin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bacula_domtrans_admin'($*)) dnl - ') - - -######################################## -## -## Execute user interfaces in the -## bacula admin domain, and allow the -## specified role the bacula admin domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bacula_run_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bacula_run_admin'($*)) dnl - - gen_require(` - attribute_role bacula_admin_roles; - ') - - bacula_domtrans_admin($1) - roleattribute $2 bacula_admin_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bacula_run_admin'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an bacula environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bacula_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bacula_admin'($*)) dnl - - gen_require(` - type bacula_t, bacula_etc_t, bacula_log_t; - type bacula_spool_t, bacula_var_lib_t; - type bacula_runtime_t, bacula_initrc_exec_t; - ') - - allow $1 bacula_t:process { ptrace signal_perms }; - ps_process_pattern($1, bacula_t) - - init_startstop_service($1, $2, bacula_t, bacula_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, bacula_etc_t) - - logging_search_logs($1) - admin_pattern($1, bacula_log_t) - - files_search_var($1) - admin_pattern($1, bacula_spool_t) - - files_search_var_lib($1) - admin_pattern($1, bacula_var_lib_t) - - files_search_pids($1) - admin_pattern($1, bacula_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bacula_admin'($*)) dnl - ') - -## Initial system configuration utility. - -######################################## -## -## Execute firstboot in the firstboot domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`firstboot_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firstboot_domtrans'($*)) dnl - - gen_require(` - type firstboot_t, firstboot_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, firstboot_exec_t, firstboot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firstboot_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute firstboot in the firstboot -## domain, and allow the specified role -## the firstboot domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`firstboot_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firstboot_run'($*)) dnl - - gen_require(` - attribute_role firstboot_roles; - ') - - firstboot_domtrans($1) - roleattribute $2 firstboot_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firstboot_run'($*)) dnl - ') - - -######################################## -## -## Inherit and use firstboot file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`firstboot_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firstboot_use_fds'($*)) dnl - - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firstboot_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit -## firstboot file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`firstboot_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_use_fds'($*)) dnl - - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Write firstboot unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`firstboot_write_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firstboot_write_pipes'($*)) dnl - - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firstboot_write_pipes'($*)) dnl - ') - - -######################################## -## -## Read and Write firstboot unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`firstboot_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firstboot_rw_pipes'($*)) dnl - - gen_require(` - type firstboot_t; - ') - - allow $1 firstboot_t:fifo_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firstboot_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attemps to read and -## write firstboot unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`firstboot_dontaudit_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_rw_pipes'($*)) dnl - - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:fifo_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attemps to read and -## write firstboot unix domain -## stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`firstboot_dontaudit_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_rw_stream_sockets'($*)) dnl - - gen_require(` - type firstboot_t; - ') - - dontaudit $1 firstboot_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_rw_stream_sockets'($*)) dnl - ') - -## Cross-platform network configuration library. - -######################################## -## -## Execute a domain transition to run ncftool. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ncftool_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ncftool_domtrans'($*)) dnl - - gen_require(` - type ncftool_t, ncftool_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ncftool_exec_t, ncftool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ncftool_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute ncftool in the ncftool -## domain, and allow the specified -## role the ncftool domain. -## -## -## -## Domain allowed access -## -## -## -## -## Role allowed access. -## -## -# - define(`ncftool_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ncftool_run'($*)) dnl - - gen_require(` - attribute_role ncftool_roles; - ') - - ncftool_domtrans($1) - roleattribute $2 ncftool_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ncftool_run'($*)) dnl - ') - -## System administration tool for networks. - -####################################### -## -## The template to define a cfengine domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`cfengine_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cfengine_domain_template'($*)) dnl - - gen_require(` - attribute cfengine_domain; - ') - - ######################################## - # - # Declarations - # - - type cfengine_$1_t, cfengine_domain; - type cfengine_$1_exec_t; - init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) - - ######################################## - # - # Policy - # - - auth_use_nsswitch(cfengine_$1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cfengine_domain_template'($*)) dnl - ') - - -######################################## -## -## Read cfengine lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`cfengine_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cfengine_read_lib_files'($*)) dnl - - gen_require(` - type cfengine_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cfengine_read_lib_files'($*)) dnl - ') - - -#################################### -## -## Do not audit attempts to write -## cfengine log files. -## -## -## -## Domain to not audit. -## -## -# - define(`cfengine_dontaudit_write_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cfengine_dontaudit_write_log_files'($*)) dnl - - gen_require(` - type cfengine_log_t; - ') - - dontaudit $1 cfengine_log_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cfengine_dontaudit_write_log_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an cfengine environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cfengine_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cfengine_admin'($*)) dnl - - gen_require(` - attribute cfengine_domain; - type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; - ') - - allow $1 cfengine_domain:process { ptrace signal_perms }; - ps_process_pattern($1, cfengine_domain) - - init_startstop_service($1, $2, cfengine_domain, cfengine_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cfengine_admin'($*)) dnl - ') - -## SUID/SGID program monitoring. - -######################################## -## -## Read sxid log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sxid_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sxid_read_log'($*)) dnl - - gen_require(` - type sxid_log_t; - ') - - logging_search_logs($1) - allow $1 sxid_log_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sxid_read_log'($*)) dnl - ') - -## List kernel modules of USB devices. - -######################################## -## -## Execute usbmodules in the usbmodules domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`usbmodules_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usbmodules_domtrans'($*)) dnl - - gen_require(` - type usbmodules_t, usbmodules_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, usbmodules_exec_t, usbmodules_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usbmodules_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute usbmodules in the usbmodules -## domain, and allow the specified -## role the usbmodules domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`usbmodules_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usbmodules_run'($*)) dnl - - gen_require(` - attribute_role usbmodules_roles; - ') - - usbmodules_domtrans($1) - roleattribute $2 usbmodules_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usbmodules_run'($*)) dnl - ') - -## Rotates, compresses, removes and mails system log files. - -######################################## -## -## Execute logrotate in the logrotate domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`logrotate_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logrotate_domtrans'($*)) dnl - - gen_require(` - type logrotate_t, logrotate_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, logrotate_exec_t, logrotate_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logrotate_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute logrotate in the logrotate -## domain, and allow the specified -## role the logrotate domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`logrotate_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logrotate_run'($*)) dnl - - gen_require(` - attribute_role logrotate_roles; - ') - - logrotate_domtrans($1) - roleattribute $2 logrotate_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logrotate_run'($*)) dnl - ') - - -######################################## -## -## Execute logrotate in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`logrotate_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logrotate_exec'($*)) dnl - - gen_require(` - type logrotate_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, logrotate_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logrotate_exec'($*)) dnl - ') - - -######################################## -## -## Inherit and use logrotate file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`logrotate_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logrotate_use_fds'($*)) dnl - - gen_require(` - type logrotate_t; - ') - - allow $1 logrotate_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logrotate_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit -## logrotate file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`logrotate_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logrotate_dontaudit_use_fds'($*)) dnl - - gen_require(` - type logrotate_t; - ') - - dontaudit $1 logrotate_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logrotate_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Read logrotate temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`logrotate_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logrotate_read_tmp_files'($*)) dnl - - gen_require(` - type logrotate_tmp_t; - ') - - files_search_tmp($1) - allow $1 logrotate_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logrotate_read_tmp_files'($*)) dnl - ') - -## Run shells with substitute user and group. - -####################################### -## -## Restricted su domain template. -## -## -##

-## This template creates a derived domain which is allowed -## to change the linux user id, to run shells as a different -## user. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the user domain. -## -## -## -## -## The role associated with the user domain. -## -## -# - define(`su_restricted_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `su_restricted_domain_template'($*)) dnl - - gen_require(` - type su_exec_t; - ') - - type $1_su_t; - domain_entry_file($1_su_t, su_exec_t) - domain_type($1_su_t) - domain_interactive_fd($1_su_t) - role $3 types $1_su_t; - - allow $2 $1_su_t:process signal; - - allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; - allow $1_su_t self:key { search write }; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:unix_stream_socket create_stream_socket_perms; - - # Transition from the user domain to this domain. - domtrans_pattern($2, su_exec_t, $1_su_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_su_t,$2) - allow $2 $1_su_t:fd use; - allow $2 $1_su_t:fifo_file rw_file_perms; - allow $2 $1_su_t:process sigchld; - - kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctls($1_su_t) - kernel_search_key($1_su_t) - kernel_link_key($1_su_t) - - # for SSP - dev_read_urand($1_su_t) - - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) - files_dontaudit_getattr_tmp_dirs($1_su_t) - - # for the rootok check - selinux_compute_access_vector($1_su_t) - - auth_domtrans_chk_passwd($1_su_t) - auth_dontaudit_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) - auth_rw_faillog($1_su_t) - - domain_use_interactive_fds($1_su_t) - - init_dontaudit_use_fds($1_su_t) - init_dontaudit_use_script_ptys($1_su_t) - # Write to utmp. - init_rw_utmp($1_su_t) - init_search_script_keys($1_su_t) - - logging_send_syslog_msg($1_su_t) - - miscfiles_read_localization($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora - auth_domtrans_upd_passwd($1_su_t) - - optional_policy(` - locallogin_search_keys($1_su_t) - ') - ') - - optional_policy(` - cron_read_pipes($1_su_t) - ') - - optional_policy(` - kerberos_use($1_su_t) - ') - - optional_policy(` - # used when the password has expired - usermanage_read_crack_db($1_su_t) - ') - - ifdef(`distro_gentoo',` - # Fix bug 554080 - Allow su to query SELinux subsystem (netlink_selinux_socket) - allow $1_su_t self:netlink_selinux_socket { create bind read }; - selinux_get_fs_mount($1_su_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `su_restricted_domain_template'($*)) dnl - ') - - -####################################### -## -## The role template for the su module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`su_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `su_role_template'($*)) dnl - - gen_require(` - type su_exec_t; - ') - - type $1_su_t; - userdom_user_application_domain($1_su_t, su_exec_t) - domain_interactive_fd($1_su_t) - role $2 types $1_su_t; - - allow $3 $1_su_t:process signal; - - allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; - dontaudit $1_su_t self:capability { net_admin sys_tty_config }; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:key { search write }; - - allow $1_su_t $3:key search; - - # Transition from the user domain to this domain. - domtrans_pattern($3, su_exec_t, $1_su_t) - - ps_process_pattern($3, $1_su_t) - - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_su_t, $3) - allow $3 $1_su_t:fd use; - allow $3 $1_su_t:fifo_file rw_file_perms; - allow $3 $1_su_t:process sigchld; - - kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctls($1_su_t) - kernel_search_key($1_su_t) - kernel_link_key($1_su_t) - - # for SSP - dev_read_urand($1_su_t) - - fs_search_auto_mountpoints($1_su_t) - - # needed for pam_rootok - selinux_compute_access_vector($1_su_t) - - auth_domtrans_chk_passwd($1_su_t) - auth_dontaudit_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) - auth_rw_faillog($1_su_t) - - corecmd_search_bin($1_su_t) - - domain_use_interactive_fds($1_su_t) - - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) - files_dontaudit_getattr_tmp_dirs($1_su_t) - - init_dontaudit_use_fds($1_su_t) - init_dontaudit_read_state($1_su_t) - # Write to utmp. - init_rw_utmp($1_su_t) - - mls_file_write_all_levels($1_su_t) - - logging_send_syslog_msg($1_su_t) - - miscfiles_read_localization($1_su_t) - - # pam_unix is linked against libselinux - seutil_libselinux_linked($1_su_t) - - userdom_use_user_terminals($1_su_t) - userdom_search_user_home_dirs($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora - auth_domtrans_upd_passwd($1_su_t) - - optional_policy(` - locallogin_search_keys($1_su_t) - ') - ') - - optional_policy(` - auth_use_pam_systemd($1_su_t) - ') - - tunable_policy(`allow_polyinstantiation',` - fs_mount_xattr_fs($1_su_t) - fs_unmount_xattr_fs($1_su_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs($1_su_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_search_cifs($1_su_t) - ') - - optional_policy(` - cron_read_pipes($1_su_t) - ') - - optional_policy(` - kerberos_use($1_su_t) - ') - - optional_policy(` - # used when the password has expired - usermanage_read_crack_db($1_su_t) - ') - - # Modify .Xauthority file (via xauth program). - optional_policy(` - xserver_user_home_dir_filetrans_user_xauth($1_su_t) - xserver_domtrans_xauth($1_su_t) - ') - - ifdef(`distro_gentoo',` - selinux_get_fs_mount($1_su_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `su_role_template'($*)) dnl - ') - - -####################################### -## -## Execute su in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`su_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `su_exec'($*)) dnl - - gen_require(` - type su_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, su_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `su_exec'($*)) dnl - ') - -## Advanced Maryland Automatic Network Disk Archiver. - -######################################## -## -## Execute a domain transition to run -## Amanda recover. -## -## -## -## Domain allowed to transition. -## -## -# - define(`amanda_domtrans_recover',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amanda_domtrans_recover'($*)) dnl - - gen_require(` - type amanda_recover_t, amanda_recover_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amanda_domtrans_recover'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run -## Amanda recover, and allow the specified -## role the Amanda recover domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`amanda_run_recover',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amanda_run_recover'($*)) dnl - - gen_require(` - attribute_role amanda_recover_roles; - ') - - amanda_domtrans_recover($1) - roleattribute $2 amanda_recover_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amanda_run_recover'($*)) dnl - ') - - -######################################## -## -## Search Amanda library directories. -## -## -## -## Domain allowed access. -## -## -# - define(`amanda_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amanda_search_lib'($*)) dnl - - gen_require(` - type amanda_usr_lib_t; - ') - - files_search_usr($1) - allow $1 amanda_usr_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amanda_search_lib'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read /etc/dumpdates. -## -## -## -## Domain to not audit. -## -## -# - define(`amanda_dontaudit_read_dumpdates',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amanda_dontaudit_read_dumpdates'($*)) dnl - - gen_require(` - type amanda_dumpdates_t; - ') - - dontaudit $1 amanda_dumpdates_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amanda_dontaudit_read_dumpdates'($*)) dnl - ') - - -######################################## -## -## Read and write /etc/dumpdates. -## -## -## -## Domain allowed access. -## -## -# - define(`amanda_rw_dumpdates_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amanda_rw_dumpdates_files'($*)) dnl - - gen_require(` - type amanda_dumpdates_t; - ') - - files_search_etc($1) - allow $1 amanda_dumpdates_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amanda_rw_dumpdates_files'($*)) dnl - ') - - -######################################## -## -## Manage Amanda library directories. -## -## -## -## Domain allowed access. -## -## -# - define(`amanda_manage_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amanda_manage_lib'($*)) dnl - - gen_require(` - type amanda_usr_lib_t; - ') - - files_search_usr($1) - allow $1 amanda_usr_lib_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amanda_manage_lib'($*)) dnl - ') - - -######################################## -## -## Read and append amanda log files. -## -## -## -## Domain allowed access. -## -## -# - define(`amanda_append_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amanda_append_log_files'($*)) dnl - - gen_require(` - type amanda_log_t; - ') - - logging_search_logs($1) - allow $1 amanda_log_t:file { read_file_perms append_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amanda_append_log_files'($*)) dnl - ') - - -####################################### -## -## Search Amanda var library directories. -## -## -## -## Domain allowed access. -## -## -# - define(`amanda_search_var_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amanda_search_var_lib'($*)) dnl - - gen_require(` - type amanda_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 amanda_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amanda_search_var_lib'($*)) dnl - ') - -## Prelink ELF shared library mappings. - -######################################## -## -## Execute prelink in the prelink domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`prelink_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_domtrans'($*)) dnl - - gen_require(` - type prelink_t, prelink_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, prelink_exec_t, prelink_t) - - ifdef(`hide_broken_symptoms',` - dontaudit prelink_t $1:socket_class_set { read write }; - dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute prelink in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`prelink_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_exec'($*)) dnl - - gen_require(` - type prelink_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, prelink_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_exec'($*)) dnl - ') - - -######################################## -## -## Execute prelink in the prelink -## domain, and allow the specified role -## the prelink domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`prelink_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_run'($*)) dnl - - gen_require(` - attribute_role prelink_roles; - ') - - prelink_domtrans($1) - roleattribute $2 prelink_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_run'($*)) dnl - ') - - -######################################## -## -## Make the specified file type prelinkable. -## -## -## -## File type to be prelinked. -## -## -# - define(`prelink_object_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_object_file'($*)) dnl - - gen_require(` - attribute prelink_object; - ') - - typeattribute $1 prelink_object; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_object_file'($*)) dnl - ') - - -######################################## -## -## Read prelink cache files. -## -## -## -## Domain allowed access. -## -## -# - define(`prelink_read_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_read_cache'($*)) dnl - - gen_require(` - type prelink_cache_t; - ') - - files_search_etc($1) - allow $1 prelink_cache_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_read_cache'($*)) dnl - ') - - -######################################## -## -## Delete prelink cache files. -## -## -## -## Domain allowed access. -## -## -# - define(`prelink_delete_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_delete_cache'($*)) dnl - - gen_require(` - type prelink_cache_t; - ') - - files_rw_etc_dirs($1) - allow $1 prelink_cache_t:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_delete_cache'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## prelink log files. -## -## -## -## Domain allowed access. -## -## -# - define(`prelink_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_manage_log'($*)) dnl - - gen_require(` - type prelink_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, prelink_log_t, prelink_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_manage_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## prelink var_lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`prelink_manage_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_manage_lib'($*)) dnl - - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_manage_lib'($*)) dnl - ') - - -######################################## -## -## Relabel from prelink lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`prelink_relabelfrom_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_relabelfrom_lib'($*)) dnl - - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_relabelfrom_lib'($*)) dnl - ') - - -######################################## -## -## Relabel prelink lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`prelink_relabel_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelink_relabel_lib'($*)) dnl - - gen_require(` - type prelink_var_lib_t; - ') - - files_search_var_lib($1) - relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelink_relabel_lib'($*)) dnl - ') - -## ddcprobe retrieves monitor and graphics card information. - -######################################## -## -## Execute ddcprobe in the ddcprobe domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ddcprobe_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ddcprobe_domtrans'($*)) dnl - - gen_require(` - type ddcprobe_t, ddcprobe_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ddcprobe_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute ddcprobe in the ddcprobe -## domain, and allow the specified -## role the ddcprobe domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ddcprobe_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ddcprobe_run'($*)) dnl - - gen_require(` - attribute_role ddcprobe_roles; - ') - - ddcprobe_domtrans($1) - roleattribute $2 ddcprobe_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ddcprobe_run'($*)) dnl - ') - -## System-config-kdump GUI. -## Tool to manage Bluetooth devices. - -######################################## -## -## Execute blueman in the blueman domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`blueman_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `blueman_domtrans'($*)) dnl - - gen_require(` - type blueman_t, blueman_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, blueman_exec_t, blueman_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `blueman_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## blueman over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`blueman_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `blueman_dbus_chat'($*)) dnl - - gen_require(` - type blueman_t; - class dbus send_msg; - ') - - allow $1 blueman_t:dbus send_msg; - allow blueman_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `blueman_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Search blueman lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`blueman_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `blueman_search_lib'($*)) dnl - - gen_require(` - type blueman_var_lib_t; - ') - - allow $1 blueman_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `blueman_search_lib'($*)) dnl - ') - - -######################################## -## -## Read blueman lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`blueman_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `blueman_read_lib_files'($*)) dnl - - gen_require(` - type blueman_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `blueman_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## blueman lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`blueman_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `blueman_manage_lib_files'($*)) dnl - - gen_require(` - type blueman_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `blueman_manage_lib_files'($*)) dnl - ') - -## File system quota management. - -######################################## -## -## Execute quota management tools in the quota domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`quota_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quota_domtrans'($*)) dnl - - gen_require(` - type quota_t, quota_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, quota_exec_t, quota_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quota_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute quota management tools in -## the quota domain, and allow the -## specified role the quota domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`quota_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quota_run'($*)) dnl - - gen_require(` - attribute_role quota_roles; - ') - - quota_domtrans($1) - roleattribute $2 quota_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quota_run'($*)) dnl - ') - - -####################################### -## -## Execute quota nld in the quota nld domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`quota_domtrans_nld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quota_domtrans_nld'($*)) dnl - - gen_require(` - type quota_nld_t, quota_nld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quota_domtrans_nld'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## quota db files. -## -## -## -## Domain allowed access. -## -## -# - define(`quota_manage_db_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quota_manage_db_files'($*)) dnl - - gen_require(` - type quota_db_t; - ') - - allow $1 quota_db_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quota_manage_db_files'($*)) dnl - ') - - -######################################## -## -## Create specified objects in specified -## directories with a type transition to -## the quota db file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Directory to transition on. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`quota_spec_filetrans_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quota_spec_filetrans_db'($*)) dnl - - gen_require(` - type quota_db_t; - ') - - filetrans_pattern($1, $2, quota_db_t, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quota_spec_filetrans_db'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get attributes -## of filesystem quota data files. -## -## -## -## Domain to not audit. -## -## -# - define(`quota_dontaudit_getattr_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quota_dontaudit_getattr_db'($*)) dnl - - gen_require(` - type quota_db_t; - ') - - dontaudit $1 quota_db_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quota_dontaudit_getattr_db'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## quota flag files. -## -## -## -## Domain allowed access. -## -## -# - define(`quota_manage_flags',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quota_manage_flags'($*)) dnl - - gen_require(` - type quota_flag_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, quota_flag_t, quota_flag_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quota_manage_flags'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an quota environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`quota_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quota_admin'($*)) dnl - - gen_require(` - type quota_nld_t, quota_t, quota_db_t; - type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_runtime_t; - ') - - allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { quota_nld_t quota_t }) - - init_startstop_service($1, $2, quota_nld_t, quota_nld_initrc_exec_t) - - files_list_all($1) - admin_pattern($1, { quota_db_t quota_flag_t quota_nld_runtime_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quota_admin'($*)) dnl - ') - -## Virtual Private Networking client. - -######################################## -## -## Execute vpn clients in the vpnc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`vpn_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vpn_domtrans'($*)) dnl - - gen_require(` - type vpnc_t, vpnc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vpnc_exec_t, vpnc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vpn_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute vpn clients in the vpnc -## domain, and allow the specified -## role the vpnc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`vpn_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vpn_run'($*)) dnl - - gen_require(` - attribute_role vpnc_roles; - ') - - vpn_domtrans($1) - roleattribute $2 vpnc_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vpn_run'($*)) dnl - ') - - -######################################## -## -## Send kill signals to vpnc. -## -## -## -## Domain allowed access. -## -## -# - define(`vpn_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vpn_kill'($*)) dnl - - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vpn_kill'($*)) dnl - ') - - -######################################## -## -## Send generic signals to vpnc. -## -## -## -## Domain allowed access. -## -## -# - define(`vpn_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vpn_signal'($*)) dnl - - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vpn_signal'($*)) dnl - ') - - -######################################## -## -## Send null signals to vpnc. -## -## -## -## Domain allowed access. -## -## -# - define(`vpn_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vpn_signull'($*)) dnl - - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vpn_signull'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## vpnc over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`vpn_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vpn_dbus_chat'($*)) dnl - - gen_require(` - type vpnc_t; - class dbus send_msg; - ') - - allow $1 vpnc_t:dbus send_msg; - allow vpnc_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vpn_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Relabelfrom from vpnc socket. -## -## -## -## Domain allowed access. -## -## -# - define(`vpn_relabelfrom_tun_socket',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vpn_relabelfrom_tun_socket'($*)) dnl - - gen_require(` - type vpnc_t; - ') - - allow $1 vpnc_t:tun_socket relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vpn_relabelfrom_tun_socket'($*)) dnl - ') - -## Set up, mount/unmount, and delete an swap file. - -######################################## -## -## Dontaudit acces to the swap file. -## -## -## -## Domain to not audit. -## -## -# - define(`dphysswapfile_dontaudit_read_swap',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dphysswapfile_dontaudit_read_swap'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type dphysswapfile_swap_t; - ') - - dontaudit $1 dphysswapfile_swap_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dphysswapfile_dontaudit_read_swap'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an dphys-swapfile environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dphysswapfile_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dphysswapfile_admin'($*)) dnl - - gen_require(` - type dphysswapfile_t, dphysswapfile_conf_t; - type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t; - ') - - admin_process_pattern($1, dphysswapfile_t) - - init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t, dphysswapfile_unit_t) - - files_search_etc($1) - admin_pattern($1, dphysswapfile_conf_t) - - # do not grant access to swap file for now - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dphysswapfile_admin'($*)) dnl - ') - -## rkhunter - rootkit checker. - -######################################## -## -## Execute a domain transition to run rkhunter. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rkhunter_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rkhunter_domtrans'($*)) dnl - - gen_require(` - type rkhunter_t, rkhunter_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rkhunter_exec_t, rkhunter_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rkhunter_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute rkhunter in the rkhunter domain, -## and allow the specified role -## the rkhunter domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`rkhunter_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rkhunter_run'($*)) dnl - - gen_require(` - attribute_role rkhunter_roles; - ') - - rkhunter_domtrans($1) - roleattribute $2 rkhunter_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rkhunter_run'($*)) dnl - ') - -## chkrootkit - rootkit checker. - -######################################## -## -## Execute a domain transition to run chkrootkit. -## -## -## -## Domain allowed to transition. -## -## -# - define(`chkrootkit_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chkrootkit_domtrans'($*)) dnl - - gen_require(` - type chkrootkit_t, chkrootkit_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chkrootkit_exec_t, chkrootkit_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chkrootkit_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute chkrootkit in the chkrootkit domain, -## and allow the specified role -## the chkrootkit domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`chkrootkit_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chkrootkit_run'($*)) dnl - - gen_require(` - attribute_role chkrootkit_roles; - ') - - chkrootkit_domtrans($1) - roleattribute $2 chkrootkit_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chkrootkit_run'($*)) dnl - ') - -## Redhat package manager. - -######################################## -## -## Execute rpm in the rpm domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rpm_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_domtrans'($*)) dnl - - gen_require(` - type rpm_t, rpm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpm_exec_t, rpm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute debuginfo install -## in the rpm domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rpm_debuginfo_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_debuginfo_domtrans'($*)) dnl - - gen_require(` - type rpm_t, debuginfo_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, debuginfo_exec_t, rpm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_debuginfo_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute rpm scripts in the rpm script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rpm_domtrans_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_domtrans_script'($*)) dnl - - gen_require(` - type rpm_script_t; - ') - - corecmd_shell_domtrans($1, rpm_script_t) - - allow rpm_script_t $1:fd use; - allow rpm_script_t $1:fifo_file rw_fifo_file_perms; - allow rpm_script_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_domtrans_script'($*)) dnl - ') - - -######################################## -## -## Execute rpm in the rpm domain, -## and allow the specified roles the -## rpm domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rpm_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_run'($*)) dnl - - gen_require(` - attribute_role rpm_roles; - ') - - rpm_domtrans($1) - roleattribute $2 rpm_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_run'($*)) dnl - ') - - -######################################## -## -## Execute the rpm in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_exec'($*)) dnl - - gen_require(` - type rpm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rpm_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_exec'($*)) dnl - ') - - -######################################## -## -## Send null signals to rpm. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_signull'($*)) dnl - - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_signull'($*)) dnl - ') - - -######################################## -## -## Inherit and use file descriptors from rpm. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_use_fds'($*)) dnl - - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_use_fds'($*)) dnl - ') - - -######################################## -## -## Read rpm unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_read_pipes'($*)) dnl - - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_read_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write rpm unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_rw_pipes'($*)) dnl - - gen_require(` - type rpm_t; - ') - - allow $1 rpm_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## rpm over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_dbus_chat'($*)) dnl - - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - allow $1 rpm_t:dbus send_msg; - allow rpm_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and -## receive messages from rpm over dbus. -## -## -## -## Domain to not audit. -## -## -# - define(`rpm_dontaudit_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_dbus_chat'($*)) dnl - - gen_require(` - type rpm_t; - class dbus send_msg; - ') - - dontaudit $1 rpm_t:dbus send_msg; - dontaudit rpm_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_dontaudit_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## rpm script over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_script_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_script_dbus_chat'($*)) dnl - - gen_require(` - type rpm_script_t; - class dbus send_msg; - ') - - allow $1 rpm_script_t:dbus send_msg; - allow rpm_script_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_script_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Search rpm log directories. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_search_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_search_log'($*)) dnl - - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - allow $1 rpm_log_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_search_log'($*)) dnl - ') - - -##################################### -## -## Append rpm log files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_append_log'($*)) dnl - - gen_require(` - type rpm_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rpm log files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_manage_log'($*)) dnl - - gen_require(` - type rpm_log_t; - ') - - logging_rw_generic_log_dirs($1) - allow $1 rpm_log_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_manage_log'($*)) dnl - ') - - -######################################## -## -## Inherit and use rpm script file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_use_script_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_use_script_fds'($*)) dnl - - gen_require(` - type rpm_script_t; - ') - - allow $1 rpm_script_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_use_script_fds'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rpm script temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_manage_script_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_manage_script_tmp_files'($*)) dnl - - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_manage_script_tmp_files'($*)) dnl - ') - - -##################################### -## -## Append rpm temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_append_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_append_tmp_files'($*)) dnl - - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_append_tmp_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rpm temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_manage_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_manage_tmp_files'($*)) dnl - - gen_require(` - type rpm_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_manage_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read rpm script temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_read_script_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_read_script_tmp_files'($*)) dnl - - gen_require(` - type rpm_script_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_read_script_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read rpm cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_read_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_read_cache'($*)) dnl - - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var($1) - allow $1 rpm_var_cache_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_read_cache'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rpm cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_manage_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_manage_cache'($*)) dnl - - gen_require(` - type rpm_var_cache_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_manage_cache'($*)) dnl - ') - - -######################################## -## -## Read rpm lib content. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_read_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_read_db'($*)) dnl - - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rpm_var_lib_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - allow $1 rpm_var_lib_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_read_db'($*)) dnl - ') - - -######################################## -## -## Delete rpm lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_delete_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_delete_db'($*)) dnl - - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_delete_db'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rpm lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_manage_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_manage_db'($*)) dnl - - gen_require(` - type rpm_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - allow $1 rpm_var_lib_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_manage_db'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete rpm lib content. -## -## -## -## Domain to not audit. -## -## -# - define(`rpm_dontaudit_manage_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_manage_db'($*)) dnl - - gen_require(` - type rpm_var_lib_t; - ') - - dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; - dontaudit $1 rpm_var_lib_t:file manage_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; - dontaudit $1 rpm_var_lib_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_dontaudit_manage_db'($*)) dnl - ') - - -##################################### -## -## Read rpm pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_read_pid_files'($*)) dnl - - gen_require(` - type rpm_runtime_t; - ') - - read_files_pattern($1, rpm_runtime_t, rpm_runtime_t) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_read_pid_files'($*)) dnl - ') - - -##################################### -## -## Create, read, write, and delete -## rpm pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpm_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_manage_pid_files'($*)) dnl - - gen_require(` - type rpm_runtime_t; - ') - - manage_files_pattern($1, rpm_runtime_t, rpm_runtime_t) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Create specified objects in pid directories -## with the rpm pid file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`rpm_pid_filetrans_rpm_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_pid_filetrans_rpm_pid'($*)) dnl - - gen_require(` - type rpm_runtime_t; - ') - - files_pid_filetrans($1, rpm_runtime_t, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_pid_filetrans_rpm_pid'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rpm environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rpm_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpm_admin'($*)) dnl - - gen_require(` - type rpm_t, rpm_script_t, rpm_initrc_exec_t; - type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; - type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_runtime_t; - type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; - ') - - allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rpm_t rpm_script_t }) - - init_startstop_service($1, $2, rpm_t, rpm_initrc_exec_t) - - admin_pattern($1, rpm_file_t) - - files_list_var($1) - admin_pattern($1, rpm_var_cache_t) - - files_list_tmp($1) - admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) - - files_list_var_lib($1) - admin_pattern($1, rpm_var_lib_t) - - files_search_locks($1) - admin_pattern($1, rpm_lock_t) - - logging_list_logs($1) - admin_pattern($1, rpm_log_t) - - files_list_pids($1) - admin_pattern($1, rpm_runtime_t) - - fs_search_tmpfs($1) - admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpm_admin'($*)) dnl - ') - -## Hardware detection and configuration tools. - -######################################## -## -## Execute kudzu in the kudzu domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`kudzu_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kudzu_domtrans'($*)) dnl - - gen_require(` - type kudzu_t, kudzu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kudzu_exec_t, kudzu_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kudzu_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute kudzu in the kudzu domain, and -## allow the specified role the kudzu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`kudzu_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kudzu_run'($*)) dnl - - gen_require(` - attribute_role kudzu_roles; - ') - - kudzu_domtrans($1) - roleattribute $2 kudzu_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kudzu_run'($*)) dnl - ') - - -######################################## -## -## Get attributes of kudzu executable files. -## -## -## -## Domain allowed access. -## -## -# - define(`kudzu_getattr_exec_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kudzu_getattr_exec_files'($*)) dnl - - gen_require(` - type kudzu_exec_t; - ') - - allow $1 kudzu_exec_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kudzu_getattr_exec_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an kudzu environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`kudzu_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kudzu_admin'($*)) dnl - - gen_require(` - type kudzu_t, kudzu_initrc_exec_t, kudzu_runtime_t; - type kudzu_tmp_t; - ') - - allow $1 kudzu_t:process { ptrace signal_perms }; - ps_process_pattern($1, kudzu_t) - - init_startstop_service($1, $2, kudzu_t, kudzu_initrc_exec_t) - - files_search_tmp($1) - admin_pattern($1, kudzu_tmp_t) - - files_search_pids($1) - admin_pattern($1, kudzu_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kudzu_admin'($*)) dnl - ') - -## configuration management suite. - -######################################## -## -## Execute bcfg2 in the bcfg2 domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`bcfg2_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bcfg2_domtrans'($*)) dnl - - gen_require(` - type bcfg2_t, bcfg2_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, bcfg2_exec_t, bcfg2_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bcfg2_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute bcfg2 server in the bcfg2 domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`bcfg2_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bcfg2_initrc_domtrans'($*)) dnl - - gen_require(` - type bcfg2_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, bcfg2_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bcfg2_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Search bcfg2 lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`bcfg2_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bcfg2_search_lib'($*)) dnl - - gen_require(` - type bcfg2_var_lib_t; - ') - - allow $1 bcfg2_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bcfg2_search_lib'($*)) dnl - ') - - -######################################## -## -## Read bcfg2 lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`bcfg2_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bcfg2_read_lib_files'($*)) dnl - - gen_require(` - type bcfg2_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bcfg2_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## bcfg2 lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`bcfg2_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bcfg2_manage_lib_files'($*)) dnl - - gen_require(` - type bcfg2_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bcfg2_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## bcfg2 lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`bcfg2_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bcfg2_manage_lib_dirs'($*)) dnl - - gen_require(` - type bcfg2_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bcfg2_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an bcfg2 environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bcfg2_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bcfg2_admin'($*)) dnl - - gen_require(` - type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; - type bcfg2_runtime_t; - ') - - allow $1 bcfg2_t:process { ptrace signal_perms }; - ps_process_pattern($1, bcfg2_t) - - init_startstop_service($1, $2, bcfg2_t, bcfg2_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, bcfg2_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, bcfg2_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bcfg2_admin'($*)) dnl - ') - -## Network traffic graphing. - -######################################## -## -## Read mrtg configuration -## -## -## -## Domain allowed access. -## -## -# - define(`mrtg_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mrtg_read_config'($*)) dnl - - gen_require(` - type mrtg_etc_t; - ') - - allow $1 mrtg_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mrtg_read_config'($*)) dnl - ') - - -######################################## -## -## Create and append mrtg log files. -## -## -## -## Domain allowed access. -## -## -# - define(`mrtg_append_create_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mrtg_append_create_logs'($*)) dnl - - gen_require(` - type mrtg_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, mrtg_log_t, mrtg_log_t) - create_files_pattern($1, mrtg_log_t, mrtg_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mrtg_append_create_logs'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an mrtg environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mrtg_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mrtg_admin'($*)) dnl - - gen_require(` - type mrtg_t, mrtg_runtime_t, mrtg_initrc_exec_t; - type mrtg_var_lib_t, mrtg_lock_t, mrtg_log_t; - type mrtg_etc_t; - ') - - allow $1 mrtg_t:process { ptrace signal_perms }; - ps_process_pattern($1, mrtg_t) - - init_startstop_service($1, $2, mrtg_t, mrtg_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, mrtg_etc_t) - - files_search_locks($1) - admin_pattern($1, mrtg_lock_t) - - logging_search_logs($1) - admin_pattern($1, mrtg_log_t) - - files_search_pids($1) - admin_pattern($1, mrtg_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, mrtg_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mrtg_admin'($*)) dnl - ') - -## Shoreline Firewall high-level tool for configuring netfilter. - -######################################## -## -## Execute a domain transition to run shorewall. -## -## -## -## Domain allowed to transition. -## -## -# - define(`shorewall_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_domtrans'($*)) dnl - - gen_require(` - type shorewall_t, shorewall_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, shorewall_exec_t, shorewall_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_domtrans'($*)) dnl - ') - - -###################################### -## -## Execute a domain transition to run shorewall -## using executables from /var/lib. -## -## -## -## Domain allowed to transition. -## -## -# - define(`shorewall_lib_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_lib_domtrans'($*)) dnl - - gen_require(` - type shorewall_t, shorewall_var_lib_t; - ') - - files_search_var_lib($1) - domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_lib_domtrans'($*)) dnl - ') - - -####################################### -## -## Read shorewall configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`shorewall_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_read_config'($*)) dnl - - gen_require(` - type shorewall_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_read_config'($*)) dnl - ') - - -####################################### -## -## Read shorewall pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`shorewall_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_read_pid_files'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_read_pid_files'($*)) dnl - ') - - -####################################### -## -## Read and write shorewall pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`shorewall_rw_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_rw_pid_files'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_rw_pid_files'($*)) dnl - ') - - -###################################### -## -## Read shorewall lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`shorewall_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_read_lib_files'($*)) dnl - - gen_require(` - type shorewall_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_read_lib_files'($*)) dnl - ') - - -####################################### -## -## Read and write shorewall lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`shorewall_rw_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_rw_lib_files'($*)) dnl - - gen_require(` - type shorewall_var_lib_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_rw_lib_files'($*)) dnl - ') - - -####################################### -## -## Read shorewall temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`shorewall_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_read_tmp_files'($*)) dnl - - gen_require(` - type shorewall_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_read_tmp_files'($*)) dnl - ') - - -####################################### -## -## All of the rules required to -## administrate an shorewall environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`shorewall_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shorewall_admin'($*)) dnl - - gen_require(` - type shorewall_t, shorewall_lock_t, shorewall_log_t; - type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t, shorewall_etc_t; - ') - - allow $1 shorewall_t:process { ptrace signal_perms }; - ps_process_pattern($1, shorewall_t) - - init_startstop_service($1, $2, shorewall_t, shorewall_initrc_exec_t) - - can_exec($1, shorewall_exec_t) - - files_list_etc($1) - admin_pattern($1, shorewall_etc_t) - - files_list_locks($1) - admin_pattern($1, shorewall_lock_t) - - logging_list_logs($1) - admin_pattern($1, shorewall_log_t) - - files_list_var_lib($1) - admin_pattern($1, shorewall_var_lib_t) - - files_list_tmp($1) - admin_pattern($1, shorewall_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shorewall_admin'($*)) dnl - ') - -## run real-mode video BIOS code to alter hardware state. - -######################################## -## -## Execute vbetool in the vbetool domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`vbetool_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vbetool_domtrans'($*)) dnl - - gen_require(` - type vbetool_t, vbetool_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vbetool_exec_t, vbetool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vbetool_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute vbetool in the vbetool -## domain, and allow the specified -## role the vbetool domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`vbetool_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vbetool_run'($*)) dnl - - gen_require(` - attribute_role vbetool_roles; - ') - - vbetool_domtrans($1) - roleattribute $2 vbetool_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vbetool_run'($*)) dnl - ') - -## Debian package manager. - -######################################## -## -## Execute dpkg programs in the dpkg domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dpkg_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_domtrans'($*)) dnl - - gen_require(` - type dpkg_t, dpkg_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dpkg_exec_t, dpkg_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_domtrans'($*)) dnl - ') - - -######################################## -## -## Transition to dpkg_t when NNP has been set -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_nnp_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_nnp_domtrans'($*)) dnl - - gen_require(` - type dpkg_t; - ') - - dpkg_domtrans($1) - allow $1 dpkg_t:process2 nnp_transition; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_nnp_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute dpkg programs in the dpkg domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dpkg_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_run'($*)) dnl - - gen_require(` - attribute_role dpkg_roles; - ') - - dpkg_domtrans($1) - roleattribute $2 dpkg_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_run'($*)) dnl - ') - - -######################################## -## -## Execute the dkpg in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_exec'($*)) dnl - - gen_require(` - type dpkg_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, dpkg_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_exec'($*)) dnl - ') - - -######################################## -## -## Execute dpkg_script programs in -## the dpkg_script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dpkg_domtrans_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_domtrans_script'($*)) dnl - - gen_require(` - type dpkg_script_t; - ') - - corecmd_shell_domtrans($1, dpkg_script_t) - allow dpkg_script_t $1:fd use; - allow dpkg_script_t $1:fifo_file rw_file_perms; - allow dpkg_script_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_domtrans_script'($*)) dnl - ') - - -######################################## -## -## access dpkg_script fifos -## -## -## -## Domain allowed access -## -## -# - define(`dpkg_script_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_script_rw_pipes'($*)) dnl - - gen_require(` - type dpkg_script_t; - ') - - allow $1 dpkg_script_t:fd use; - allow $1 dpkg_script_t:fifo_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_script_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Inherit and use file descriptors from dpkg. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_use_fds'($*)) dnl - - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_use_fds'($*)) dnl - ') - - -######################################## -## -## Read from unnamed dpkg pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_read_pipes'($*)) dnl - - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_read_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write unnamed dpkg pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_rw_pipes'($*)) dnl - - gen_require(` - type dpkg_t; - ') - - allow $1 dpkg_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Inherit and use file descriptors -## from dpkg scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_use_script_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_use_script_fds'($*)) dnl - - gen_require(` - type dpkg_script_t; - ') - - allow $1 dpkg_script_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_use_script_fds'($*)) dnl - ') - - -######################################## -## -## Inherit and use file descriptors -## from dpkg scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_script_rw_inherited_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_script_rw_inherited_pipes'($*)) dnl - - gen_require(` - type dpkg_script_t; - ') - - allow $1 dpkg_script_t:fd use; - allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_script_rw_inherited_pipes'($*)) dnl - ') - - -######################################## -## -## Read dpkg package database content. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_read_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_read_db'($*)) dnl - - gen_require(` - type dpkg_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir list_dir_perms; - read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_read_db'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## dpkg package database content. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_manage_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_manage_db'($*)) dnl - - gen_require(` - type dpkg_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_manage_db'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, -## read, write, and delete dpkg -## package database content. -## -## -## -## Domain to not audit. -## -## -# - define(`dpkg_dontaudit_manage_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_dontaudit_manage_db'($*)) dnl - - gen_require(` - type dpkg_var_lib_t; - ') - - dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; - dontaudit $1 dpkg_var_lib_t:file manage_file_perms; - dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_dontaudit_manage_db'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## dpkg lock files. -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_lock_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_lock_db'($*)) dnl - - gen_require(` - type dpkg_lock_t, dpkg_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 dpkg_var_lib_t:dir list_dir_perms; - allow $1 dpkg_lock_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_lock_db'($*)) dnl - ') - - -######################################## -## -## manage dpkg_script_tmp_t files and dirs -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_manage_script_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_manage_script_tmp_files'($*)) dnl - - gen_require(` - type dpkg_script_tmp_t; - ') - - files_search_tmp($1) - allow $1 dpkg_script_tmp_t:dir manage_dir_perms; - allow $1 dpkg_script_tmp_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_manage_script_tmp_files'($*)) dnl - ') - - -######################################## -## -## map dpkg_script_tmp_t files -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_map_script_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_map_script_tmp_files'($*)) dnl - - gen_require(` - type dpkg_script_tmp_t; - ') - - allow $1 dpkg_script_tmp_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_map_script_tmp_files'($*)) dnl - ') - - -######################################## -## -## read dpkg_script_tmp_t links -## -## -## -## Domain allowed access. -## -## -# - define(`dpkg_read_script_tmp_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dpkg_read_script_tmp_symlinks'($*)) dnl - - gen_require(` - type dpkg_script_tmp_t; - ') - - allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dpkg_read_script_tmp_symlinks'($*)) dnl - ') - -## Advanced package tool. - -######################################## -## -## Execute apt programs in the apt domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apt_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_domtrans'($*)) dnl - - gen_require(` - type apt_t, apt_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apt_exec_t, apt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the apt in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_exec'($*)) dnl - - gen_require(` - type apt_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, apt_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_exec'($*)) dnl - ') - - -######################################## -## -## Execute apt programs in the apt domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`apt_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_run'($*)) dnl - - gen_require(` - attribute_role apt_roles; - ') - - apt_domtrans($1) - roleattribute $2 apt_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_run'($*)) dnl - ') - - -######################################## -## -## Use apt file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_use_fds'($*)) dnl - - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use -## apt file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`apt_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_dontaudit_use_fds'($*)) dnl - - gen_require(` - type apt_t; - ') - - dontaudit $1 apt_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Read apt unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_read_pipes'($*)) dnl - - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_read_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write apt unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_rw_pipes'($*)) dnl - - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write apt ptys. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_use_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_use_ptys'($*)) dnl - - gen_require(` - type apt_devpts_t; - ') - - allow $1 apt_devpts_t:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_use_ptys'($*)) dnl - ') - - -######################################## -## -## Read apt package cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_read_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_read_cache'($*)) dnl - - gen_require(` - type apt_var_cache_t; - ') - - files_search_var($1) - allow $1 apt_var_cache_t:dir list_dir_perms; - allow $1 apt_var_cache_t:file mmap_read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_read_cache'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete apt package cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_manage_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_manage_cache'($*)) dnl - - gen_require(` - type apt_var_cache_t; - ') - - files_search_var($1) - allow $1 apt_var_cache_t:dir manage_dir_perms; - allow $1 apt_var_cache_t:file { manage_file_perms map }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_manage_cache'($*)) dnl - ') - - -######################################## -## -## Read apt package database content. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_read_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_read_db'($*)) dnl - - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 apt_var_lib_t:dir list_dir_perms; - read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_read_db'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## apt package database content. -## -## -## -## Domain allowed access. -## -## -# - define(`apt_manage_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_manage_db'($*)) dnl - - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - manage_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_manage_db'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, -## read, write, and delete apt -## package database content. -## -## -## -## Domain to not audit. -## -## -# - define(`apt_dontaudit_manage_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apt_dontaudit_manage_db'($*)) dnl - - gen_require(` - type apt_var_lib_t; - ') - - dontaudit $1 apt_var_lib_t:dir rw_dir_perms; - dontaudit $1 apt_var_lib_t:file manage_file_perms; - dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apt_dontaudit_manage_db'($*)) dnl - ') - -## Time zone updater. - -######################################## -## -## Execute a domain transition to run tzdata. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tzdata_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tzdata_domtrans'($*)) dnl - - gen_require(` - type tzdata_t, tzdata_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tzdata_exec_t, tzdata_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tzdata_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute tzdata in the tzdata domain, -## and allow the specified role -## the tzdata domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tzdata_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tzdata_run'($*)) dnl - - gen_require(` - attribute_role tzdata_roles; - ') - - tzdata_domtrans($1) - roleattribute $2 tzdata_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tzdata_run'($*)) dnl - ') - -## Utilities for configuring the Linux ethernet bridge. - -######################################## -## -## Execute a domain transition to run brctl. -## -## -## -## Domain allowed to transition. -## -## -# - define(`brctl_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `brctl_domtrans'($*)) dnl - - gen_require(` - type brctl_t, brctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, brctl_exec_t, brctl_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `brctl_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute brctl in the brctl domain, and -## allow the specified role the brctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`brctl_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `brctl_run'($*)) dnl - - gen_require(` - attribute_role brctl_roles; - ') - - brctl_domtrans($1) - roleattribute $2 brctl_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `brctl_run'($*)) dnl - ') - -## Kernel crash dumping mechanism. - -###################################### -## -## Execute kdump in the kdump domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`kdump_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdump_domtrans'($*)) dnl - - gen_require(` - type kdump_t, kdump_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kdump_exec_t, kdump_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdump_domtrans'($*)) dnl - ') - - -####################################### -## -## Execute kdump init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`kdump_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdump_initrc_domtrans'($*)) dnl - - gen_require(` - type kdump_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdump_initrc_domtrans'($*)) dnl - ') - - -##################################### -## -## Read kdump configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`kdump_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdump_read_config'($*)) dnl - - gen_require(` - type kdump_etc_t; - ') - - files_search_etc($1) - allow $1 kdump_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdump_read_config'($*)) dnl - ') - - -#################################### -## -## Create, read, write, and delete -## kdmup configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`kdump_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdump_manage_config'($*)) dnl - - gen_require(` - type kdump_etc_t; - ') - - files_search_etc($1) - allow $1 kdump_etc_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdump_manage_config'($*)) dnl - ') - - -###################################### -## -## All of the rules required to -## administrate an kdump environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`kdump_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdump_admin'($*)) dnl - - gen_require(` - type kdump_t, kdump_etc_t, kdumpctl_tmp_t; - type kdump_initrc_exec_t, kdumpctl_t; - ') - - allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { kdump_t kdumpctl_t }) - - init_startstop_service($1, $2, kdump_t, kdump_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, kdump_etc_t) - - files_search_tmp($1) - admin_pattern($1, kdumpctl_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdump_admin'($*)) dnl - ') - -## The Fedora hardware profiler client. -## sigrok signal analysis software suite. - -######################################## -## -## Execute sigrok in its domain. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`sigrok_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sigrok_run'($*)) dnl - - gen_require(` - type sigrok_t, sigrok_exec_t; - attribute_role sigrok_roles; - ') - - roleattribute $1 sigrok_roles; - domtrans_pattern($2, sigrok_exec_t, sigrok_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sigrok_run'($*)) dnl - ') - -## Policy for Mozilla and related web browsers. - -######################################## -## -## Role access for mozilla. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`mozilla_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_role'($*)) dnl - - gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; - type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; - type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; - attribute_role mozilla_roles; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 mozilla_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, mozilla_exec_t, mozilla_t) - - allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; - ps_process_pattern($2, mozilla_t) - - allow mozilla_t $2:process signull; - allow mozilla_t $2:unix_stream_socket connectto; - - allow $2 mozilla_t:fd use; - allow $2 mozilla_t:shm rw_shm_perms; - - stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) - - allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") - - filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") - - allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - optional_policy(` - mozilla_dbus_chat($2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_role'($*)) dnl - ') - - -######################################## -## -## Role access for mozilla plugin. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`mozilla_role_plugin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_role_plugin'($*)) dnl - - gen_require(` - type mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t; - type mozilla_plugin_rw_t, mozilla_plugin_config_t, mozilla_home_t; - ') - - mozilla_run_plugin($2, $1) - mozilla_run_plugin_config($2, $1) - - allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) - - allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; - allow $2 mozilla_plugin_t:fd use; - - stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) - - allow mozilla_plugin_t $2:process signull; - allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms }; - allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms }; - allow mozilla_plugin_t $2:shm { rw_shm_perms destroy }; - allow mozilla_plugin_t $2:sem create_sem_perms; - - allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape") - userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix") - - allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - - allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $2 mozilla_plugin_rw_t:dir list_dir_perms; - allow $2 mozilla_plugin_rw_t:file read_file_perms; - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - - can_exec($2, mozilla_plugin_rw_t) - - optional_policy(` - mozilla_dbus_chat_plugin($2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_role_plugin'($*)) dnl - ') - - -######################################## -## -## Read mozilla home directory content. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_read_user_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_read_user_home'($*)) dnl - - gen_require(` - type mozilla_home_t; - ') - - list_dirs_pattern($1, mozilla_home_t, mozilla_home_t) - read_files_pattern($1, mozilla_home_t, mozilla_home_t) - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_read_user_home'($*)) dnl - ') - - - -######################################## -## -## Read mozilla home directory files -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_read_user_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_read_user_home_files'($*)) dnl - - gen_require(` - type mozilla_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mozilla_home_t:dir list_dir_perms; - allow $1 mozilla_home_t:file read_file_perms; - allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_read_user_home_files'($*)) dnl - ') - - -######################################## -## -## Write mozilla home directory files. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_write_user_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_write_user_home_files'($*)) dnl - - gen_require(` - type mozilla_home_t; - ') - - userdom_search_user_home_dirs($1) - write_files_pattern($1, mozilla_home_t, mozilla_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_write_user_home_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write mozilla home directory files. -## -## -## -## Domain to not audit. -## -## -# - define(`mozilla_dontaudit_rw_user_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_dontaudit_rw_user_home_files'($*)) dnl - - gen_require(` - type mozilla_home_t; - ') - - dontaudit $1 mozilla_home_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_dontaudit_rw_user_home_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempt to Create, -## read, write, and delete mozilla -## home directory content. -## -## -## -## Domain to not audit. -## -## -# - define(`mozilla_dontaudit_manage_user_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_dontaudit_manage_user_home_files'($*)) dnl - - gen_require(` - type mozilla_home_t; - ') - - dontaudit $1 mozilla_home_t:dir manage_dir_perms; - dontaudit $1 mozilla_home_t:file manage_file_perms; - dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_dontaudit_manage_user_home_files'($*)) dnl - ') - - -######################################## -## -## Execute mozilla plugin home directory files. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_exec_user_plugin_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_exec_user_plugin_home_files'($*)) dnl - - gen_require(` - type mozilla_home_t, mozilla_plugin_home_t; - ') - - userdom_search_user_home_dirs($1) - exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_exec_user_plugin_home_files'($*)) dnl - ') - - -######################################## -## -## Mozilla plugin home directory file -## text relocation. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_execmod_user_plugin_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_execmod_user_plugin_home_files'($*)) dnl - - gen_require(` - type mozilla_plugin_home_t; - ') - - allow $1 mozilla_plugin_home_t:file execmod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_execmod_user_plugin_home_files'($*)) dnl - ') - - -####################################### -## -## Read temporary mozilla files. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_read_tmp_files'($*)) dnl - - gen_require(` - type mozilla_tmp_t; - ') - - read_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Run mozilla in the mozilla domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mozilla_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_domtrans'($*)) dnl - - gen_require(` - type mozilla_t, mozilla_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_exec_t, mozilla_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run mozilla plugin. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mozilla_domtrans_plugin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_domtrans_plugin'($*)) dnl - - gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_domtrans_plugin'($*)) dnl - ') - - -######################################## -## -## Execute mozilla plugin in the -## mozilla plugin domain, and allow -## the specified role the mozilla -## plugin domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`mozilla_run_plugin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_run_plugin'($*)) dnl - - gen_require(` - attribute_role mozilla_plugin_roles; - ') - - mozilla_domtrans_plugin($1) - roleattribute $2 mozilla_plugin_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_run_plugin'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run mozilla plugin config. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mozilla_domtrans_plugin_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_domtrans_plugin_config'($*)) dnl - - gen_require(` - type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_domtrans_plugin_config'($*)) dnl - ') - - -######################################## -## -## Execute mozilla plugin config in -## the mozilla plugin config domain, -## and allow the specified role the -## mozilla plugin config domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`mozilla_run_plugin_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_run_plugin_config'($*)) dnl - - gen_require(` - attribute_role mozilla_plugin_config_roles; - ') - - mozilla_domtrans_plugin_config($1) - roleattribute $2 mozilla_plugin_config_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_run_plugin_config'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## mozilla over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_dbus_chat'($*)) dnl - - gen_require(` - type mozilla_t; - class dbus send_msg; - ') - - allow $1 mozilla_t:dbus send_msg; - allow mozilla_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## mozilla plugin over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_dbus_chat_plugin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_dbus_chat_plugin'($*)) dnl - - gen_require(` - type mozilla_plugin_t; - class dbus send_msg; - ') - - allow $1 mozilla_plugin_t:dbus send_msg; - allow mozilla_plugin_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_dbus_chat_plugin'($*)) dnl - ') - - -######################################## -## -## Read and write mozilla TCP sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_rw_tcp_sockets'($*)) dnl - - gen_require(` - type mozilla_t; - ') - - allow $1 mozilla_t:tcp_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mozilla plugin rw files. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_manage_plugin_rw_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_manage_plugin_rw_files'($*)) dnl - - gen_require(` - type mozilla_plugin_rw_t; - ') - - libs_search_lib($1) - manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_manage_plugin_rw_files'($*)) dnl - ') - - -######################################## -## -## Read mozilla_plugin tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_plugin_read_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_plugin_read_tmpfs_files'($*)) dnl - - gen_require(` - type mozilla_plugin_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_plugin_read_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Delete mozilla_plugin tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_plugin_delete_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_plugin_delete_tmpfs_files'($*)) dnl - - gen_require(` - type mozilla_plugin_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_plugin_delete_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Read/write to mozilla's tmp fifo files -## -## -## -## Domain allowed access -## -## -# - define(`mozilla_rw_tmp_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_rw_tmp_pipes'($*)) dnl - - gen_require(` - type mozilla_tmp_t; - ') - - rw_fifo_files_pattern($1, mozilla_tmp_t, mozilla_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_rw_tmp_pipes'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## generic mozilla plugin home content. -## -## -## -## Domain allowed access. -## -## -# - define(`mozilla_manage_generic_plugin_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_manage_generic_plugin_home_content'($*)) dnl - - gen_require(` - type mozilla_plugin_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mozilla_plugin_home_t:dir manage_dir_perms; - allow $1 mozilla_plugin_home_t:file manage_file_perms; - allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms; - allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms; - allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_manage_generic_plugin_home_content'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the generic mozilla -## plugin home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mozilla_home_filetrans_plugin_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_home_filetrans_plugin_home'($*)) dnl - - gen_require(` - type mozilla_plugin_home_t; - ') - - userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_home_filetrans_plugin_home'($*)) dnl - ') - - -# This is gentoo specific but cannot use ifdef distro_gentoo - -######################################## -## -## Do not audit use of mozilla file descriptors -## -## -## -## Domain to dont audit access from -## -## -# - define(`mozilla_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_dontaudit_use_fds'($*)) dnl - - gen_require(` - type mozilla_t; - ') - - dontaudit $1 mozilla_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Send messages to mozilla plugin unix datagram sockets -## -## -## -## Domain allowed access -## -## -# - define(`mozilla_send_dgram_plugin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mozilla_send_dgram_plugin'($*)) dnl - - gen_require(` - type mozilla_plugin_t; - ') - - allow $1 mozilla_plugin_t:unix_dgram_socket sendto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mozilla_send_dgram_plugin'($*)) dnl - ') - -## Openoffice suite. - -############################################################ -## -## Role access for openoffice. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`ooffice_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ooffice_role'($*)) dnl - - gen_require(` - attribute_role ooffice_roles; - type ooffice_t, ooffice_exec_t; - ') - - roleattribute $1 ooffice_roles; - - allow ooffice_t $2:unix_stream_socket connectto; - - domtrans_pattern($2, ooffice_exec_t, ooffice_t) - - allow $2 ooffice_t:process { ptrace signal_perms }; - ps_process_pattern($2, ooffice_t) - - optional_policy(` - ooffice_dbus_chat($2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ooffice_role'($*)) dnl - ') - - -######################################## -## -## Run openoffice in its own domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ooffice_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ooffice_domtrans'($*)) dnl - - gen_require(` - type ooffice_t, ooffice_exec_t; - ') - - domtrans_pattern($1, ooffice_exec_t, ooffice_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ooffice_domtrans'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to execute -## files in temporary directories. -## -## -## -## Domain to not audit. -## -## -# - define(`ooffice_dontaudit_exec_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ooffice_dontaudit_exec_tmp_files'($*)) dnl - - gen_require(` - type ooffice_tmp_t; - ') - - dontaudit $1 ooffice_tmp_t:file exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ooffice_dontaudit_exec_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read and write temporary -## openoffice files. -## -## -## -## Domain allowed access. -## -## -# - define(`ooffice_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ooffice_rw_tmp_files'($*)) dnl - - gen_require(` - type ooffice_tmp_t; - ') - - rw_files_pattern($1, ooffice_tmp_t, ooffice_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ooffice_rw_tmp_files'($*)) dnl - ') - - -####################################### -## -## Send and receive dbus messages -## from and to the openoffice -## domain. -## -## -## -## Domain allowed access. -## -## -# - define(`ooffice_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ooffice_dbus_chat'($*)) dnl - - gen_require(` - type ooffice_t; - class dbus send_msg; - ') - - allow $1 ooffice_t:dbus send_msg; - allow ooffice_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ooffice_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Connect to openoffice using a -## unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`ooffice_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ooffice_stream_connect'($*)) dnl - - gen_require(` - type ooffice_t, ooffice_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, ooffice_tmp_t, ooffice_tmp_t, ooffice_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ooffice_stream_connect'($*)) dnl - ') - -## Telepathy communications framework. - -####################################### -## -## The template to define a telepathy domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`telepathy_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telepathy_domain_template'($*)) dnl - - gen_require(` - attribute telepathy_domain, telepathy_executable, telepathy_tmp_content; - ') - - type telepathy_$1_t, telepathy_domain; - type telepathy_$1_exec_t, telepathy_executable; - userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) - - type telepathy_$1_tmp_t, telepathy_tmp_content; - userdom_user_tmp_file(telepathy_$1_tmp_t) - - optional_policy(` - wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t) - ') - - auth_use_nsswitch(telepathy_$1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telepathy_domain_template'($*)) dnl - ') - - -####################################### -## -## The role template for the telepathy module. -## -## -##

-## This template creates a derived domains which are used -## for window manager applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`telepathy_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telepathy_role_template'($*)) dnl - - gen_require(` - attribute telepathy_domain, telepathy_tmp_content; - type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; - type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; - type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; - type telepathy_sofiasip_exec_t, telepathy_idle_exec_t; - type telepathy_logger_t, telepathy_logger_exec_t; - type telepathy_mission_control_exec_t, telepathy_salut_exec_t; - type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; - type telepathy_msn_exec_t; - - type telepathy_mission_control_xdg_cache_t, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t; - type telepathy_gabble_xdg_cache_t, telepathy_mission_control_t, telepathy_xdg_data_t; - type telepathy_mission_control_xdg_data_t, telepathy_sunshine_home_t, telepathy_logger_xdg_data_t; - type telepathy_mission_control_home_t; - ') - - role $2 types telepathy_domain; - - allow $3 telepathy_domain:process { ptrace signal_perms }; - ps_process_pattern($3, telepathy_domain) - - telepathy_gabble_stream_connect($3) - telepathy_msn_stream_connect($3) - telepathy_salut_stream_connect($3) - - dbus_spec_session_domain($1, telepathy_gabble_t, telepathy_gabble_exec_t) - dbus_spec_session_domain($1, telepathy_sofiasip_t, telepathy_sofiasip_exec_t) - dbus_spec_session_domain($1, telepathy_idle_t, telepathy_idle_exec_t) - dbus_spec_session_domain($1, telepathy_logger_t, telepathy_logger_exec_t) - dbus_spec_session_domain($1, telepathy_mission_control_t, telepathy_mission_control_exec_t) - dbus_spec_session_domain($1, telepathy_salut_t, telepathy_salut_exec_t) - dbus_spec_session_domain($1, telepathy_sunshine_t, telepathy_sunshine_exec_t) - dbus_spec_session_domain($1, telepathy_stream_engine_t, telepathy_stream_engine_exec_t) - dbus_spec_session_domain($1, telepathy_msn_t, telepathy_msn_exec_t) - - allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:dir { manage_dir_perms relabel_dir_perms }; - - allow $3 { telepathy_mission_control_xdg_cache_t telepathy_xdg_cache_t telepathy_logger_xdg_cache_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { telepathy_gabble_xdg_cache_t telepathy_mission_control_home_t telepathy_xdg_data_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { telepathy_mission_control_xdg_data_t telepathy_sunshine_home_t telepathy_logger_xdg_data_t }:file { manage_file_perms relabel_file_perms }; - - filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_gabble_xdg_cache_t, dir, "gabble") - # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky") - - filetrans_pattern($3, telepathy_xdg_cache_t, telepathy_logger_xdg_cache_t, dir, "logger") - # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger") - - userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control") - filetrans_pattern($3, telepathy_xdg_data_t, telepathy_mission_control_xdg_data_t, dir, "mission-control") - # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections") - - userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") - - # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy") - # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy") - - allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms }; - allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms }; - allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - telepathy_mission_control_dbus_chat($3) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telepathy_role_template'($*)) dnl - ') - - -######################################## -## -## Connect to gabble with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`telepathy_gabble_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telepathy_gabble_stream_connect'($*)) dnl - - gen_require(` - type telepathy_gabble_t, telepathy_gabble_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telepathy_gabble_stream_connect'($*)) dnl - ') - - -######################################## -## -## Send dbus messages to and from -## gabble. -## -## -## -## Domain allowed access. -## -## -# - define(`telepathy_gabble_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telepathy_gabble_dbus_chat'($*)) dnl - - gen_require(` - type telepathy_gabble_t; - class dbus send_msg; - ') - - allow $1 telepathy_gabble_t:dbus send_msg; - allow telepathy_gabble_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telepathy_gabble_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Send dbus messages to and from -## mission control. -## -## -## -## Domain allowed access. -## -## -# - define(`telepathy_mission_control_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telepathy_mission_control_dbus_chat'($*)) dnl - - gen_require(` - type telepathy_mission_control_t; - class dbus send_msg; - ') - - allow $1 telepathy_mission_control_t:dbus send_msg; - allow telepathy_mission_control_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telepathy_mission_control_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Read mission control process state files. -## -## -## -## Domain allowed access. -## -## -# - define(`telepathy_mission_control_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telepathy_mission_control_read_state'($*)) dnl - - gen_require(` - type telepathy_mission_control_t; - ') - - kernel_search_proc($1) - allow $1 telepathy_mission_control_t:dir list_dir_perms; - allow $1 telepathy_mission_control_t:file read_file_perms; - allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telepathy_mission_control_read_state'($*)) dnl - ') - - -####################################### -## -## Connect to msn with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`telepathy_msn_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telepathy_msn_stream_connect'($*)) dnl - - gen_require(` - type telepathy_msn_t, telepathy_msn_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telepathy_msn_stream_connect'($*)) dnl - ') - - -######################################## -## -## Connect to salut with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`telepathy_salut_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telepathy_salut_stream_connect'($*)) dnl - - gen_require(` - type telepathy_salut_t, telepathy_salut_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telepathy_salut_stream_connect'($*)) dnl - ') - -## Tools for managing and hosting git repositories. - -####################################### -## -## Execute a domain transition to run gitosis. -## -## -## -## Domain allowed to transition. -## -## -# - define(`gitosis_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gitosis_domtrans'($*)) dnl - - gen_require(` - type gitosis_t, gitosis_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gitosis_exec_t, gitosis_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gitosis_domtrans'($*)) dnl - ') - - -####################################### -## -## Execute gitosis-serve in the -## gitosis domain, and allow the -## specified role the gitosis domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`gitosis_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gitosis_run'($*)) dnl - - gen_require(` - attribute_role gitosis_roles; - ') - - gitosis_domtrans($1) - roleattribute $2 gitosis_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gitosis_run'($*)) dnl - ') - - -####################################### -## -## Read gitosis lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`gitosis_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gitosis_read_lib_files'($*)) dnl - - gen_require(` - type gitosis_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gitosis_read_lib_files'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## gitosis lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`gitosis_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gitosis_manage_lib_files'($*)) dnl - - gen_require(` - type gitosis_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gitosis_manage_lib_files'($*)) dnl - ') - -## Update database for mlocate. - -######################################## -## -## Read locate lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`locate_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locate_read_lib_files'($*)) dnl - - gen_require(` - type locate_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, locate_var_lib_t, locate_var_lib_t) - allow $1 locate_var_lib_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locate_read_lib_files'($*)) dnl - ') - -## High quality television application. - -######################################## -## -## Role access for tvtime -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`tvtime_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tvtime_role'($*)) dnl - - gen_require(` - attribute_role tvtime_roles; - type tvtime_t, tvtime_exec_t, tvtime_tmp_t; - type tvtime_home_t, tvtime_tmpfs_t; - ') - - roleattribute $1 tvtime_roles; - - domtrans_pattern($2, tvtime_exec_t, tvtime_t) - - ps_process_pattern($2, tvtime_t) - allow $2 tvtime_t:process { ptrace signal_perms }; - - allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tvtime_role'($*)) dnl - ') - -## On-line manual database. - -######################################## -## -## Execute the mandb program in -## the mandb domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mandb_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mandb_domtrans'($*)) dnl - - gen_require(` - type mandb_t, mandb_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mandb_exec_t, mandb_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mandb_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute mandb in the mandb -## domain, and allow the specified -## role the mandb domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`mandb_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mandb_run'($*)) dnl - - gen_require(` - attribute_role mandb_roles; - ') - - mandb_domtrans($1) - roleattribute $2 mandb_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mandb_run'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an mandb environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mandb_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mandb_admin'($*)) dnl - - gen_require(` - type mandb_t; - ') - - admin_process_pattern($1, mandb_t) - - mandb_run($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mandb_admin'($*)) dnl - ') - -## Squid log analysis. - -######################################## -## -## Execute the calamaris in -## the calamaris domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`calamaris_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `calamaris_domtrans'($*)) dnl - - gen_require(` - type calamaris_t, calamaris_exec_t; - ') - - files_search_etc($1) - domtrans_pattern($1, calamaris_exec_t, calamaris_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `calamaris_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute calamaris in the -## calamaris domain, and allow the -## specified role the calamaris domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`calamaris_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `calamaris_run'($*)) dnl - - gen_require(` - attribute_role calamaris_roles; - ') - - lightsquid_domtrans($1) - roleattribute $2 calamaris_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `calamaris_run'($*)) dnl - ') - - -####################################### -## -## Read calamaris www files. -## -## -## -## Domain allowed access. -## -## -# - define(`calamaris_read_www_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `calamaris_read_www_files'($*)) dnl - - gen_require(` - type calamaris_www_t; - ') - - allow $1 calamaris_www_t:dir list_dir_perms; - read_files_pattern($1, calamaris_www_t, calamaris_www_t) - read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `calamaris_read_www_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an calamaris environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`calamaris_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `calamaris_admin'($*)) dnl - - gen_require(` - type calamaris_t, calamaris_log_t, calamaris_www_t; - ') - - allow $1 calamaris_t:process { ptrace signal_perms }; - ps_process_pattern($1, calamaris_t) - - calamaris_run($1, $2) - - logging_list_logs($1) - admin_pattern($1, calamaris_log_t) - - apache_list_sys_content($1) - admin_pattern($1, calamaris_www_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `calamaris_admin'($*)) dnl - ') - -## Java virtual machine - -######################################## -## -## Role access for java. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`java_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_role'($*)) dnl - - gen_require(` - attribute_role java_roles; - type java_t, java_exec_t, java_tmp_t; - type java_tmpfs_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 java_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, java_exec_t, java_t) - - allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; - ps_process_pattern($2, java_t) - - allow $2 java_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { java_tmp_t java_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow java_t $2:process signull; - allow java_t $2:unix_stream_socket connectto; - allow java_t $2:unix_stream_socket { read write }; - allow java_t $2:tcp_socket { read write }; - - ifdef(`distro_gentoo',` - gen_require(` - type java_home_t; - ') - - manage_files_pattern($2, java_home_t, java_home_t) - manage_dirs_pattern($2, java_home_t, java_home_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_role'($*)) dnl - ') - - -####################################### -## -## The role template for the java module. -## -## -##

-## This template creates a derived domains which are used -## for java applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`java_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_role_template'($*)) dnl - - gen_require(` - attribute java_domain; - type java_exec_t, java_tmp_t, java_tmpfs_t; - type java_home_t; - ') - - ######################################## - # - # Declarations - # - - type $1_java_t, java_domain; - userdom_user_application_domain($1_java_t, java_exec_t) - - role $2 types $1_java_t; - - ######################################## - # - # Policy - # - - domtrans_pattern($3, java_exec_t, $1_java_t) - - allow $3 $1_java_t:process { ptrace noatsecure siginh rlimitinh signal_perms }; - ps_process_pattern($3, $1_java_t) - - allow $3 { java_home_t java_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { java_tmp_t java_tmpfs_t java_home_t }:file { manage_file_perms relabel_file_perms }; - allow $3 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $3 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $3 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - userdom_user_home_dir_filetrans($3, java_home_t, dir, ".java") - - allow $1_java_t $3:process signull; - allow $1_java_t $3:unix_stream_socket connectto; - allow $1_java_t $3:unix_stream_socket { read write }; - allow $1_java_t $3:tcp_socket { read write }; - - corecmd_bin_domtrans($1_java_t, $3) - - auth_use_nsswitch($1_java_t) - - optional_policy(` - xserver_role($2, $1_java_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_role_template'($*)) dnl - ') - - -######################################## -## -## Execute the java program in the java domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`java_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_domtrans'($*)) dnl - - gen_require(` - type java_t, java_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, java_exec_t, java_t) - - ifdef(`distro_gentoo',` - # /usr/bin/java is a symlink - files_read_usr_symlinks($1) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute java in the java domain, and -## allow the specified role the java domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`java_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_run'($*)) dnl - - gen_require(` - attribute_role java_roles; - ') - - java_domtrans($1) - roleattribute $2 java_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_run'($*)) dnl - ') - - -######################################## -## -## Execute the java program in the -## unconfined java domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`java_domtrans_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_domtrans_unconfined'($*)) dnl - - gen_require(` - type unconfined_java_t, java_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, java_exec_t, unconfined_java_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_domtrans_unconfined'($*)) dnl - ') - - -######################################## -## -## Execute the java program in the -## unconfined java domain and allow the -## specified role the java domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`java_run_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_run_unconfined'($*)) dnl - - gen_require(` - attribute_role unconfined_java_roles; - ') - - java_domtrans_unconfined($1) - roleattribute $2 unconfined_java_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_run_unconfined'($*)) dnl - ') - - -######################################## -## -## Execute the java program in -## the callers domain. -## -## -## -## Domain allowed access. -## -## -# - define(`java_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_exec'($*)) dnl - - gen_require(` - type java_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, java_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_exec'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## generic java home content. -## -## -## -## Domain allowed access. -## -## -# - define(`java_manage_generic_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_manage_generic_home_content'($*)) dnl - - gen_require(` - type java_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 java_home_t:dir manage_dir_perms; - allow $1 java_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_manage_generic_home_content'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## temporary java content. -## -## -## -## Domain allowed access. -## -## -# - define(`java_manage_java_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_manage_java_tmp'($*)) dnl - - gen_require(` - type java_tmp_t; - ') - - allow $1 java_tmp_t:dir manage_dir_perms; - allow $1 java_tmp_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_manage_java_tmp'($*)) dnl - ') - - -######################################## -## -## Create specified objects in user home -## directories with the generic java -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`java_home_filetrans_java_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_home_filetrans_java_home'($*)) dnl - - gen_require(` - type java_home_t; - ') - - userdom_user_home_dir_filetrans($1, java_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_home_filetrans_java_home'($*)) dnl - ') - - -######################################## -## -## Run java in javaplugin domain and -## do not clean the environment (atsecure) -## -## -##

-## This is needed when java is called by an application with library -## settings (such as is the case when invoked as a browser plugin) -##

-## -## -## -## Domain allowed to transition. -## -## -# - define(`java_noatsecure_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_noatsecure_domtrans'($*)) dnl - - gen_require(` - type java_t; - ') - - allow $1 java_t:process noatsecure; - - java_domtrans($1) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_noatsecure_domtrans'($*)) dnl - ') - - -# everything after here is gentoo-specific. ifdef's are not allowed for this unfortunately - -####################################### -## -## The template for using java in a domain. -## -## -##

-## This template creates a derived domains which are used -## for java applications. -##

-## -## -## -## The type of the domain to be given java privs. -## -## -# - define(`java_domain_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `java_domain_type'($*)) dnl - - gen_require(` - attribute java_domain; - ') - - ######################################## - # - # Policy - # - - typeattribute $1 java_domain; - - # cannot be called on the attribute, so do it now - auth_use_nsswitch($1) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `java_domain_type'($*)) dnl - ') - -## Command-line CPU frequency settings. - -######################################## -## -## Send and receive messages from -## cpufreq-selector over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`cpufreqselector_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cpufreqselector_dbus_chat'($*)) dnl - - gen_require(` - type cpufreqselector_t; - class dbus send_msg; - ') - - allow $1 cpufreqselector_t:dbus send_msg; - allow cpufreqselector_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cpufreqselector_dbus_chat'($*)) dnl - ') - -## Run Windows programs in Linux. - -######################################## -## -## Role access for wine. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`wine_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wine_role'($*)) dnl - - gen_require(` - attribute_role wine_roles; - type wine_exec_t, wine_t, wine_tmp_t; - type wine_home_t; - ') - - roleattribute $1 wine_roles; - - domtrans_pattern($2, wine_exec_t, wine_t) - - allow wine_t $2:unix_stream_socket connectto; - allow wine_t $2:process signull; - - ps_process_pattern($2, wine_t) - allow $2 wine_t:process { ptrace signal_perms }; - - allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm rw_shm_perms; - allow $2 wine_t:unix_stream_socket connectto; - - allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; - allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wine_role'($*)) dnl - ') - - -####################################### -## -## The role template for the wine module. -## -## -##

-## This template creates a derived domains which are used -## for wine applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`wine_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wine_role_template'($*)) dnl - - gen_require(` - type wine_exec_t; - ') - - type $1_wine_t; - userdom_user_application_domain($1_wine_t, wine_exec_t) - role $2 types $1_wine_t; - - allow $1_wine_t self:process { execmem execstack }; - - allow $3 $1_wine_t:process { ptrace noatsecure signal_perms }; - ps_process_pattern($3, $1_wine_t) - - domtrans_pattern($3, wine_exec_t, $1_wine_t) - - corecmd_bin_domtrans($1_wine_t, $3) - - userdom_manage_user_tmpfs_files($1_wine_t) - - domain_mmap_low($1_wine_t) - - tunable_policy(`wine_mmap_zero_ignore',` - dontaudit $1_wine_t self:memprotect mmap_zero; - ') - - optional_policy(` - xserver_role($1_r, $1_wine_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wine_role_template'($*)) dnl - ') - - -######################################## -## -## Execute the wine program in the wine domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`wine_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wine_domtrans'($*)) dnl - - gen_require(` - type wine_t, wine_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wine_exec_t, wine_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wine_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute wine in the wine domain, -## and allow the specified role -## the wine domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`wine_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wine_run'($*)) dnl - - gen_require(` - attribute_role wine_roles; - ') - - wine_domtrans($1) - roleattribute $2 wine_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wine_run'($*)) dnl - ') - - -######################################## -## -## Read and write wine Shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# - define(`wine_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wine_rw_shm'($*)) dnl - - gen_require(` - type wine_t; - ') - - allow $1 wine_t:shm rw_shm_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wine_rw_shm'($*)) dnl - ') - -## system-config-samba dbus service. -## Log analyzer for squid proxy. - -######################################## -## -## Execute the lightsquid program in -## the lightsquid domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`lightsquid_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lightsquid_domtrans'($*)) dnl - - gen_require(` - type lightsquid_t, lightsquid_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, lightsquid_exec_t, lightsquid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lightsquid_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute lightsquid in the -## lightsquid domain, and allow the -## specified role the lightsquid domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`lightsquid_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lightsquid_run'($*)) dnl - - gen_require(` - attribute_role lightsquid_roles; - ') - - lightsquid_domtrans($1) - roleattribute $2 lightsquid_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lightsquid_run'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an lightsquid environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`lightsquid_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lightsquid_admin'($*)) dnl - - gen_require(` - type lightsquid_t, lightsquid_rw_content_t; - ') - - allow $1 lightsquid_t:process { ptrace signal_perms }; - ps_process_pattern($1, lightsquid_t) - - lightsquid_run($1, $2) - - files_search_var_lib($1) - admin_pattern($1, lightsquid_rw_content_t) - - apache_list_sys_content($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lightsquid_admin'($*)) dnl - ') - -## IRC client policy. - -######################################## -## -## Role access for IRC. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`irc_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `irc_role'($*)) dnl - - gen_require(` - attribute_role irc_roles; - type irc_t, irc_exec_t, irc_home_t; - type irc_tmp_t, irc_log_home_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 irc_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, irc_exec_t, irc_t) - - ps_process_pattern($2, irc_t) - allow $2 irc_t:process { ptrace signal_perms }; - - allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi") - userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd") - userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `irc_role'($*)) dnl - ') - -## VMWare Workstation virtual machines. - -######################################## -## -## Role access for vmware. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`vmware_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vmware_role'($*)) dnl - - gen_require(` - type vmware_t, vmware_exec_t, vmware_file_t; - type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t; - ') - - role $1 types vmware_t; - - domtrans_pattern($2, vmware_exec_t, vmware_t) - - ps_process_pattern($2, vmware_t) - allow $2 vmware_t:process { ptrace signal_perms }; - - allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware") - userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vmware_role'($*)) dnl - ') - - -######################################## -## -## Execute vmware host executables -## -## -## -## Domain allowed access. -## -## -# - define(`vmware_exec_host',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vmware_exec_host'($*)) dnl - - gen_require(` - type vmware_host_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, vmware_host_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vmware_exec_host'($*)) dnl - ') - - -######################################## -## -## Read vmware system configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`vmware_read_system_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vmware_read_system_config'($*)) dnl - - gen_require(` - type vmware_sys_conf_t; - ') - - files_search_etc($1) - allow $1 vmware_sys_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vmware_read_system_config'($*)) dnl - ') - - -######################################## -## -## Append vmware system configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`vmware_append_system_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vmware_append_system_config'($*)) dnl - - gen_require(` - type vmware_sys_conf_t; - ') - - files_search_etc($1) - allow $1 vmware_sys_conf_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vmware_append_system_config'($*)) dnl - ') - - -######################################## -## -## Append vmware log files. -## -## -## -## Domain allowed access. -## -## -# - define(`vmware_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vmware_append_log'($*)) dnl - - gen_require(` - type vmware_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, vmware_log_t, vmware_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vmware_append_log'($*)) dnl - ') - -## Modular screen saver and locker for X11. - -######################################## -## -## Role access for xscreensaver. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`xscreensaver_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xscreensaver_role'($*)) dnl - - gen_require(` - attribute_role xscreensaver_roles; - attribute_role xscreensaver_helper_roles; - type xscreensaver_t, xscreensaver_exec_t; - type xscreensaver_helper_t; - type xscreensaver_config_t, xscreensaver_tmpfs_t; - ') - - roleattribute $1 xscreensaver_roles; - roleattribute $1 xscreensaver_helper_roles; - - domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) - - allow $2 xscreensaver_t:process { ptrace signal_perms }; - ps_process_pattern($2, xscreensaver_t) - - allow $2 xscreensaver_config_t:file { manage_file_perms relabel_file_perms }; - - allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms }; - - allow xscreensaver_helper_t $2:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xscreensaver_role'($*)) dnl - ') - -## system-config-firewall dbus system service. - -######################################## -## -## Send and receive messages from -## firewallgui over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`firewallgui_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firewallgui_dbus_chat'($*)) dnl - - gen_require(` - type firewallgui_t; - class dbus send_msg; - ') - - allow $1 firewallgui_t:dbus send_msg; - allow firewallgui_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firewallgui_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write firewallgui unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`firewallgui_dontaudit_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firewallgui_dontaudit_rw_pipes'($*)) dnl - - gen_require(` - type firewallgui_t; - ') - - dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firewallgui_dontaudit_rw_pipes'($*)) dnl - ') - -## Restricted (scp/sftp) only shell. - -######################################## -## -## Role access for rssh. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`rssh_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rssh_role'($*)) dnl - - gen_require(` - attribute_role rssh_roles; - type rssh_t, rssh_exec_t, rssh_ro_t; - type rssh_rw_t; - ') - - roleattribute $1 rssh_roles; - - domtrans_pattern($2, rssh_exec_t, rssh_t) - - allow $2 rssh_t:process { ptrace signal_perms }; - ps_process_pattern($2, rssh_t) - - allow $2 { rssh_ro_t rssh_rw_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { rssh_ro_t rssh_rw_t }:file { manage_file_perms relabel_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rssh_role'($*)) dnl - ') - - -######################################## -## -## Execute rssh in the rssh domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rssh_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rssh_spec_domtrans'($*)) dnl - - gen_require(` - type rssh_t, rssh_exec_t; - ') - - corecmd_search_bin($1) - spec_domtrans_pattern($1, rssh_exec_t, rssh_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rssh_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the rssh program -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`rssh_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rssh_exec'($*)) dnl - - gen_require(` - type rssh_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rssh_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rssh_exec'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run rssh chroot helper. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rssh_domtrans_chroot_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rssh_domtrans_chroot_helper'($*)) dnl - - gen_require(` - type rssh_chroot_helper_t, rssh_chroot_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rssh_domtrans_chroot_helper'($*)) dnl - ') - - -######################################## -## -## Read users rssh read-only content. -## -## -## -## Domain allowed access. -## -## -# - define(`rssh_read_ro_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rssh_read_ro_content'($*)) dnl - - gen_require(` - type rssh_ro_t; - ') - - allow $1 rssh_ro_t:dir list_dir_perms; - allow $1 rssh_ro_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rssh_read_ro_content'($*)) dnl - ') - -## Podsleuth is a tool to get information about an Apple (TM) iPod (TM). - -######################################## -## -## Execute a domain transition to run podsleuth. -## -## -## -## Domain allowed to transition. -## -## -# - define(`podsleuth_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `podsleuth_domtrans'($*)) dnl - - gen_require(` - type podsleuth_t, podsleuth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `podsleuth_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute podsleuth in the podsleuth -## domain, and allow the specified role -## the podsleuth domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`podsleuth_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `podsleuth_run'($*)) dnl - - gen_require(` - attribute_role podsleuth_roles; - ') - - podsleuth_domtrans($1) - roleattribute $2 podsleuth_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `podsleuth_run'($*)) dnl - ') - -## GNU network object model environment. - -####################################### -## -## The role template for gnome. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`gnome_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_role_template'($*)) dnl - - gen_require(` - attribute gnomedomain, gkeyringd_domain; - attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; - type gconfd_t, gconfd_exec_t, gconf_tmp_t; - type gconf_home_t, gnome_home_t; - ') - - ######################################## - # - # Gconf declarations - # - - roleattribute $2 gconfd_roles; - - ######################################## - # - # Gkeyringd declarations - # - - type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; - userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) - domain_user_exemption_target($1_gkeyringd_t) - - role $2 types $1_gkeyringd_t; - - ######################################## - # - # Gconf policy - # - - domtrans_pattern($3, gconfd_exec_t, gconfd_t) - - allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") - - allow $3 gconfd_t:process { ptrace signal_perms }; - ps_process_pattern($3, gconfd_t) - - ######################################## - # - # Gkeyringd policy - # - - domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - - allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; - allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; - - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") - - gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") - - allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; - - ps_process_pattern($3, $1_gkeyringd_t) - allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; - - corecmd_bin_domtrans($1_gkeyringd_t, $3) - corecmd_shell_domtrans($1_gkeyringd_t, $3) - - gnome_stream_connect_gkeyringd($1, $3) - - optional_policy(` - dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t) - dbus_system_bus_client($1_gkeyringd_t) - - optional_policy(` - evolution_dbus_chat($1_gkeyringd_t) - ') - - optional_policy(` - gnome_dbus_chat_gconfd($3) - gnome_dbus_chat_gkeyringd($1, $3) - ') - - optional_policy(` - wm_dbus_chat($1, $1_gkeyringd_t) - ') - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_role_template'($*)) dnl - ') - - -######################################## -## -## Execute gconf in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_exec_gconf',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_exec_gconf'($*)) dnl - - gen_require(` - type gconfd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, gconfd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_exec_gconf'($*)) dnl - ') - - -######################################## -## -## Read gconf configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_read_gconf_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_read_gconf_config'($*)) dnl - - gen_require(` - type gconf_etc_t; - ') - - files_search_etc($1) - allow $1 gconf_etc_t:dir list_dir_perms; - allow $1 gconf_etc_t:file read_file_perms; - allow $1 gconf_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_read_gconf_config'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read -## inherited gconf configuration files. -## -## -## -## Domain to not audit. -## -## -# - define(`gnome_dontaudit_read_inherited_gconf_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_read_inherited_gconf_config_files'($*)) dnl - - gen_require(` - type gconf_etc_t; - ') - - dontaudit $1 gconf_etc_t:file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_dontaudit_read_inherited_gconf_config_files'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## gconf configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_manage_gconf_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_manage_gconf_config'($*)) dnl - - gen_require(` - type gconf_etc_t; - ') - - files_search_etc($1) - allow $1 gconf_etc_t:dir manage_dir_perms; - allow $1 gconf_etc_t:file manage_file_perms; - allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_manage_gconf_config'($*)) dnl - ') - - -######################################## -## -## Connect to gconf using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_stream_connect_gconf',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_stream_connect_gconf'($*)) dnl - - gen_require(` - type gconfd_t, gconf_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_stream_connect_gconf'($*)) dnl - ') - - -######################################## -## -## Run gconfd in gconfd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`gnome_domtrans_gconfd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_domtrans_gconfd'($*)) dnl - - gen_require(` - type gconfd_t, gconfd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gconfd_exec_t, gconfd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_domtrans_gconfd'($*)) dnl - ') - - -######################################## -## -## Create generic gnome home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_create_generic_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_create_generic_home_dirs'($*)) dnl - - gen_require(` - type gnome_home_t; - ') - - allow $1 gnome_home_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_create_generic_home_dirs'($*)) dnl - ') - - -######################################## -## -## Set attributes of generic gnome -## user home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_setattr_generic_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_setattr_generic_home_dirs'($*)) dnl - - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_setattr_generic_home_dirs'($*)) dnl - ') - - -######################################## -## -## Read generic gnome home content. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_read_generic_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_read_generic_home_content'($*)) dnl - - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir list_dir_perms; - allow $1 gnome_home_t:file { read_file_perms map }; - allow $1 gnome_home_t:fifo_file read_fifo_file_perms; - allow $1 gnome_home_t:lnk_file read_lnk_file_perms; - allow $1 gnome_home_t:sock_file read_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_read_generic_home_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## generic gnome home content. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_manage_generic_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_home_content'($*)) dnl - - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:file manage_file_perms; - allow $1 gnome_home_t:fifo_file manage_fifo_file_perms; - allow $1 gnome_home_t:lnk_file manage_lnk_file_perms; - allow $1 gnome_home_t:sock_file manage_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_manage_generic_home_content'($*)) dnl - ') - - -######################################## -## -## Search generic gnome home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_search_generic_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_search_generic_home'($*)) dnl - - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_search_generic_home'($*)) dnl - ') - - -######################################## -## -## Create objects in gnome user home -## directories with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`gnome_home_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_home_filetrans'($*)) dnl - - gen_require(` - type gnome_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, gnome_home_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_home_filetrans'($*)) dnl - ') - - -######################################## -## -## Create generic gconf home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_create_generic_gconf_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_create_generic_gconf_home_dirs'($*)) dnl - - gen_require(` - type gconf_home_t; - ') - - allow $1 gconf_home_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_create_generic_gconf_home_dirs'($*)) dnl - ') - - -######################################## -## -## Read generic gconf home content. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_read_generic_gconf_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_read_generic_gconf_home_content'($*)) dnl - - gen_require(` - type gconf_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir list_dir_perms; - allow $1 gconf_home_t:file read_file_perms; - allow $1 gconf_home_t:fifo_file read_fifo_file_perms; - allow $1 gconf_home_t:lnk_file read_lnk_file_perms; - allow $1 gconf_home_t:sock_file read_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_read_generic_gconf_home_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## generic gconf home content. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_manage_generic_gconf_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_gconf_home_content'($*)) dnl - - gen_require(` - type gconf_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir manage_dir_perms; - allow $1 gconf_home_t:file manage_file_perms; - allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; - allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; - allow $1 gconf_home_t:sock_file manage_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_manage_generic_gconf_home_content'($*)) dnl - ') - - -######################################## -## -## Search generic gconf home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_search_generic_gconf_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_search_generic_gconf_home'($*)) dnl - - gen_require(` - type gconf_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_search_generic_gconf_home'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the generic gconf -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`gnome_home_filetrans_gconf_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_home_filetrans_gconf_home'($*)) dnl - - gen_require(` - type gconf_home_t; - ') - - userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_home_filetrans_gconf_home'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the generic gnome -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`gnome_home_filetrans_gnome_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_home_filetrans_gnome_home'($*)) dnl - - gen_require(` - type gnome_home_t; - ') - - userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_home_filetrans_gnome_home'($*)) dnl - ') - - -######################################## -## -## Create objects in gnome gconf home -## directories with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`gnome_gconf_home_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_gconf_home_filetrans'($*)) dnl - - gen_require(` - type gconf_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, gconf_home_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_gconf_home_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the gstreamer -## orcexec type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_user_home_dir_filetrans_gstreamer_orcexec'($*)) dnl - - gen_require(` - type gstreamer_orcexec_t; - ') - - userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_user_home_dir_filetrans_gstreamer_orcexec'($*)) dnl - ') - - -######################################## -## -## Create objects in the user -## runtime directories with the -## gstreamer orcexec type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`gnome_user_runtime_filetrans_gstreamer_orcexec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_user_runtime_filetrans_gstreamer_orcexec'($*)) dnl - - gen_require(` - type gstreamer_orcexec_t; - ') - - userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_user_runtime_filetrans_gstreamer_orcexec'($*)) dnl - ') - - -######################################## -## -## Read generic gnome keyring home files. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_read_keyring_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_read_keyring_home_files'($*)) dnl - - gen_require(` - type gnome_home_t, gnome_keyring_home_t; - ') - - userdom_search_user_home_dirs($1) - read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_read_keyring_home_files'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## gnome configuration daemon over -## dbus. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_dbus_chat_gconfd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_dbus_chat_gconfd'($*)) dnl - - gen_require(` - type gconfd_t; - class dbus send_msg; - ') - - allow $1 gconfd_t:dbus send_msg; - allow gconfd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_dbus_chat_gconfd'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## gnome keyring daemon over dbus. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_dbus_chat_gkeyringd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_dbus_chat_gkeyringd'($*)) dnl - - gen_require(` - type $1_gkeyringd_t; - class dbus send_msg; - ') - - allow $2 $1_gkeyringd_t:dbus send_msg; - allow $1_gkeyringd_t $2:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_dbus_chat_gkeyringd'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from all -## gnome keyring daemon over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_dbus_chat_all_gkeyringd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_dbus_chat_all_gkeyringd'($*)) dnl - - gen_require(` - attribute gkeyringd_domain; - class dbus send_msg; - ') - - allow $1 gkeyringd_domain:dbus send_msg; - allow gkeyringd_domain $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_dbus_chat_all_gkeyringd'($*)) dnl - ') - - -######################################## -## -## Run all gkeyringd in gkeyringd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`gnome_spec_domtrans_all_gkeyringd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_spec_domtrans_all_gkeyringd'($*)) dnl - - gen_require(` - attribute gkeyringd_domain; - type gkeyringd_exec_t; - ') - - corecmd_search_bin($1) - spec_domtrans_pattern($1, gkeyringd_exec_t, gkeyringd_domain) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_spec_domtrans_all_gkeyringd'($*)) dnl - ') - - -######################################## -## -## Connect to gnome keyring daemon -## with a unix stream socket. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_stream_connect_gkeyringd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_stream_connect_gkeyringd'($*)) dnl - - gen_require(` - type $1_gkeyringd_t, gnome_keyring_tmp_t; - ') - - files_search_tmp($2) - userdom_search_user_runtime($2) - stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_stream_connect_gkeyringd'($*)) dnl - ') - - -######################################## -## -## Connect to all gnome keyring daemon -## with a unix stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_stream_connect_all_gkeyringd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_stream_connect_all_gkeyringd'($*)) dnl - - gen_require(` - attribute gkeyringd_domain; - type gnome_keyring_tmp_t; - ') - - files_search_tmp($1) - userdom_search_user_runtime($1) - stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_stream_connect_all_gkeyringd'($*)) dnl - ') - - -######################################## -## -## Manage gstreamer ORC optimized -## code. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_manage_gstreamer_orcexec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_manage_gstreamer_orcexec'($*)) dnl - - gen_require(` - type gstreamer_orcexec_t; - ') - - allow $1 gstreamer_orcexec_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_manage_gstreamer_orcexec'($*)) dnl - ') - - -######################################## -## -## Mmap gstreamer ORC optimized -## code. -## -## -## -## Domain allowed access. -## -## -# - define(`gnome_mmap_gstreamer_orcexec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnome_mmap_gstreamer_orcexec'($*)) dnl - - gen_require(` - type gstreamer_orcexec_t; - ') - - allow $1 gstreamer_orcexec_t:file mmap_exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnome_mmap_gstreamer_orcexec'($*)) dnl - ') - -## Application that lets you synchronize your files across multiple devices. - -######################################## -## -## Role access for Syncthing -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`syncthing_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `syncthing_role'($*)) dnl - - gen_require(` - attribute_role syncthing_roles; - type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t; - ') - - roleattribute $1 syncthing_roles; - - domtrans_pattern($2, syncthing_exec_t, syncthing_t) - - allow $2 syncthing_xdg_config_t:file { manage_file_perms relabel_file_perms }; - allow $2 syncthing_xdg_config_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `syncthing_role'($*)) dnl - ') - -## CryFS and similar other tools which mount encrypted directories using FUSE. - -######################################## -## -## Role access for CryFS. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`cryfs_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cryfs_role'($*)) dnl - - gen_require(` - attribute_role cryfs_roles; - type cryfs_t, cryfs_exec_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 cryfs_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, cryfs_exec_t, cryfs_t) - - allow $2 cryfs_t:process signal_perms; - ps_process_pattern($2, cryfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cryfs_role'($*)) dnl - ') - -## A wrapper that helps users run system programs. - -####################################### -## -## The role template for the userhelper module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The user role. -## -## -## -## -## The user domain associated with the role. -## -## -# - define(`userhelper_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userhelper_role_template'($*)) dnl - - gen_require(` - attribute userhelper_type, consolehelper_type; - attribute_role userhelper_roles, consolehelper_roles; - type userhelper_exec_t, consolehelper_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_consolehelper_t, consolehelper_type; - userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t) - - role consolehelper_roles types $1_consolehelper_t; - roleattribute $2 consolehelper_roles; - - type $1_userhelper_t, userhelper_type; - userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) - - domain_role_change_exemption($1_userhelper_t) - domain_obj_id_change_exemption($1_userhelper_t) - domain_interactive_fd($1_userhelper_t) - domain_subj_id_change_exemption($1_userhelper_t) - - role userhelper_roles types $1_userhelper_t; - roleattribute $2 userhelper_roles; - - ######################################## - # - # Consolehelper local policy - # - - allow $1_consolehelper_t $3:unix_stream_socket connectto; - - domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) - - allow $3 $1_consolehelper_t:process { ptrace signal_perms }; - ps_process_pattern($3, $1_consolehelper_t) - - auth_use_pam($1_consolehelper_t) - - optional_policy(` - dbus_connect_all_session_bus($1_consolehelper_t) - - optional_policy(` - userhelper_dbus_chat_all_consolehelper($3) - ') - ') - - ######################################## - # - # Userhelper local policy - # - - domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) - - dontaudit $3 $1_userhelper_t:process signal; - - corecmd_bin_domtrans($1_userhelper_t, $3) - - auth_domtrans_chk_passwd($1_userhelper_t) - auth_use_nsswitch($1_userhelper_t) - - userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) - userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) - - optional_policy(` - tunable_policy(`! secure_mode',` - sysadm_bin_spec_domtrans($1_userhelper_t) - sysadm_entry_spec_domtrans($1_userhelper_t) - ') - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userhelper_role_template'($*)) dnl - ') - - -######################################## -## -## Search userhelper configuration directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userhelper_search_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userhelper_search_config'($*)) dnl - - gen_require(` - type userhelper_conf_t; - ') - - allow $1 userhelper_conf_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userhelper_search_config'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## userhelper configuration directories. -## -## -## -## Domain to not audit. -## -## -# - define(`userhelper_dontaudit_search_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userhelper_dontaudit_search_config'($*)) dnl - - gen_require(` - type userhelper_conf_t; - ') - - dontaudit $1 userhelper_conf_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userhelper_dontaudit_search_config'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## consolehelper over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`userhelper_dbus_chat_all_consolehelper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userhelper_dbus_chat_all_consolehelper'($*)) dnl - - gen_require(` - attribute consolehelper_type; - class dbus send_msg; - ') - - allow $1 consolehelper_type:dbus send_msg; - allow consolehelper_type $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userhelper_dbus_chat_all_consolehelper'($*)) dnl - ') - - -######################################## -## -## Use userhelper all userhelper file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`userhelper_use_fd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userhelper_use_fd'($*)) dnl - - gen_require(` - attribute userhelper_type; - ') - - allow $1 userhelper_type:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userhelper_use_fd'($*)) dnl - ') - - -######################################## -## -## Send child terminated signals to all userhelper. -## -## -## -## Domain allowed access. -## -## -# - define(`userhelper_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userhelper_sigchld'($*)) dnl - - gen_require(` - attribute userhelper_type; - ') - - allow $1 userhelper_type:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userhelper_sigchld'($*)) dnl - ') - - -######################################## -## -## Execute the userhelper program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`userhelper_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userhelper_exec'($*)) dnl - - gen_require(` - type userhelper_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, userhelper_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userhelper_exec'($*)) dnl - ') - - -######################################## -## -## Execute the consolehelper program -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`userhelper_exec_consolehelper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userhelper_exec_consolehelper'($*)) dnl - - gen_require(` - type consolehelper_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, consolehelper_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userhelper_exec_consolehelper'($*)) dnl - ') - -## Record audio or data Compact Discs from a master. - -######################################## -## -## Role access for cdrecord. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`cdrecord_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cdrecord_role'($*)) dnl - - gen_require(` - attribute_role cdrecord_roles; - type cdrecord_t, cdrecord_exec_t; - ') - - roleattribute $1 cdrecord_roles; - - domtrans_pattern($2, cdrecord_exec_t, cdrecord_t) - - allow cdrecord_t $2:unix_stream_socket rw_socket_perms; - - allow $2 cdrecord_t:process { ptrace signal_perms }; - ps_process_pattern($2, cdrecord_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cdrecord_role'($*)) dnl - ') - - -######################################## -## -## Execute cdrecord in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`cdrecord_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cdrecord_exec'($*)) dnl - - gen_require(` - type cdrecord_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, cdrecord_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cdrecord_exec'($*)) dnl - ') - -## Load keyboard mappings. - -######################################## -## -## Execute the loadkeys program in -## the loadkeys domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`loadkeys_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `loadkeys_domtrans'($*)) dnl - - gen_require(` - type loadkeys_t, loadkeys_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `loadkeys_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the loadkeys program in -## the loadkeys domain, and allow the -## specified role the loadkeys domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`loadkeys_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `loadkeys_run'($*)) dnl - - gen_require(` - attribute_role loadkeys_roles; - ') - - loadkeys_domtrans($1) - roleattribute $2 loadkeys_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `loadkeys_run'($*)) dnl - ') - - -######################################## -## -## Execute the loadkeys in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`loadkeys_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `loadkeys_exec'($*)) dnl - - gen_require(` - type loadkeys_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, loadkeys_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `loadkeys_exec'($*)) dnl - ') - -## GNU terminal multiplexer. - -####################################### -## -## The role template for the screen module. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`screen_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `screen_role_template'($*)) dnl - - gen_require(` - attribute screen_domain; - attribute_role screen_roles; - type screen_exec_t, screen_tmp_t; - type screen_home_t, screen_runtime_t; - ') - - ######################################## - # - # Declarations - # - - type $1_screen_t, screen_domain; - userdom_user_application_domain($1_screen_t, screen_exec_t) - domain_interactive_fd($1_screen_t) - role screen_roles types $1_screen_t; - - roleattribute $2 screen_roles; - - ######################################## - # - # Local policy - # - - dontaudit $1_screen_t self:capability sys_tty_config; - - domtrans_pattern($3, screen_exec_t, $1_screen_t) - - ps_process_pattern($3, $1_screen_t) - allow $3 $1_screen_t:process { ptrace signal_perms }; - - dontaudit $3 $1_screen_t:unix_stream_socket { read write }; - allow $1_screen_t $3:process signal; - - allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - - allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $3 screen_home_t:file { manage_file_perms relabel_file_perms }; - allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") - userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") - userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf") - - manage_dirs_pattern($3, screen_runtime_t, screen_runtime_t) - manage_files_pattern($3, screen_runtime_t, screen_runtime_t) - manage_lnk_files_pattern($3, screen_runtime_t, screen_runtime_t) - manage_fifo_files_pattern($3, screen_runtime_t, screen_runtime_t) - - corecmd_bin_domtrans($1_screen_t, $3) - corecmd_shell_domtrans($1_screen_t, $3) - - auth_domtrans_chk_passwd($1_screen_t) - auth_use_nsswitch($1_screen_t) - - userdom_user_home_domtrans($1_screen_t, $3) - - tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $3) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_nfs_domtrans($1_screen_t, $3) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `screen_role_template'($*)) dnl - ') - -## Peer to peer file sharing tool. - -######################################## -## -## Role access for gift. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`gift_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gift_role'($*)) dnl - - gen_require(` - attribute_role gift_roles, giftd_roles; - type gift_t, gift_exec_t, gift_home_t; - type giftd_t, giftd_exec_t, gift_tmpfs_t; - ') - - roleattribute $1 gift_roles; - roleattribute $1 giftd_roles; - - domtrans_pattern($2, gift_exec_t, gift_t) - domtrans_pattern($2, giftd_exec_t, giftd_t) - - allow $2 gift_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { gift_home_t gift_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { gift_home_t gift_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 gift_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 gift_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - userdom_user_home_dir_filetrans($2, gift_home_t, dir, ".giFT") - - ps_process_pattern($2, { gift_t giftd_t }) - allow $2 { gift_t giftd_t }:process { ptrace signal_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gift_role'($*)) dnl - ') - -## Evolution email client. - -######################################## -## -## Role access for evolution. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`evolution_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `evolution_role'($*)) dnl - - gen_require(` - attribute_role evolution_roles; - type evolution_t, evolution_exec_t, evolution_home_t; - type evolution_alarm_t, evolution_alarm_exec_t, evolution_alarm_orbit_tmp_t; - type evolution_exchange_t, evolution_exchange_exec_t, evolution_exchange_tmp_t; - type evolution_exchange_orbit_tmp_t, evolution_orbit_tmp_t, evolution_server_orbit_tmp_t; - type evolution_server_t, evolution_server_exec_t, evolution_webcal_t; - type evolution_webcal_exec_t, evolution_alarm_tmpfs_t, evolution_exchange_tmpfs_t; - type evolution_tmpfs_t, evolution_webcal_tmpfs_t; - ') - - roleattribute $1 evolution_roles; - - domtrans_pattern($2, evolution_exec_t, evolution_t) - domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) - domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) - domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) - domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) - - allow $2 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms }; - ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t }) - ps_process_pattern($2, { evolution_server_t evolution_webcal_t }) - - allow evolution_t $2:dir search_dir_perms; - allow evolution_t $2:file read_file_perms; - allow evolution_t $2:lnk_file read_lnk_file_perms; - - allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms }; - allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms }; - allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".camel_certs") - userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".evolution") - - allow $2 evolution_exchange_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { evolution_alarm_orbit_tmp_t evolution_exchange_orbit_tmp_t evolution_orbit_tmp_t evolution_server_orbit_tmp_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - - allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto; - - stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) - stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) - - optional_policy(` - evolution_dbus_chat($2) - evolution_alarm_dbus_chat($2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `evolution_role'($*)) dnl - ') - - -######################################## -## -## Create objects in the evolution home -## directories with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`evolution_home_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `evolution_home_filetrans'($*)) dnl - - gen_require(` - type evolution_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, evolution_home_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `evolution_home_filetrans'($*)) dnl - ') - - -######################################## -## -## Read evolution home files. -## -## -## -## Domain allowed access. -## -## -# - define(`evolution_read_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `evolution_read_home_files'($*)) dnl - - gen_require(` - type evolution_home_t; - ') - - read_files_pattern($1, evolution_home_t, evolution_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `evolution_read_home_files'($*)) dnl - ') - - -######################################## -## -## Connect to evolution using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`evolution_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `evolution_stream_connect'($*)) dnl - - gen_require(` - type evolution_t, evolution_orbit_tmp_t; - ') - - - files_search_tmp($1) - stream_connect_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `evolution_stream_connect'($*)) dnl - ') - - -######################################## -## -## Read evolution orbit temporary -## files. -## -## -## -## Domain allowed access. -## -## -# - define(`evolution_read_orbit_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `evolution_read_orbit_tmp_files'($*)) dnl - - gen_require(` - type evolution_orbit_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `evolution_read_orbit_tmp_files'($*)) dnl - ') - - - -######################################## -## -## Send and receive messages from -## evolution over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`evolution_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `evolution_dbus_chat'($*)) dnl - - gen_require(` - type evolution_t; - class dbus send_msg; - ') - - allow $1 evolution_t:dbus send_msg; - allow evolution_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `evolution_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## evolution_alarm over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`evolution_alarm_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `evolution_alarm_dbus_chat'($*)) dnl - - gen_require(` - type evolution_alarm_t; - class dbus send_msg; - ') - - allow $1 evolution_alarm_t:dbus send_msg; - allow evolution_alarm_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `evolution_alarm_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Make a domain transition to the -## evolution target domain. -## -## -## -## Domain allowed access. -## -## -# - define(`evolution_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `evolution_domtrans'($*)) dnl - - gen_require(` - type evolution_t, evolution_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, evolution_exec_t, evolution_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `evolution_domtrans'($*)) dnl - ') - -## Various games. - -######################################## -## -## Role access for games. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`games_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `games_role'($*)) dnl - - gen_require(` - attribute_role games_roles; - type games_t, games_exec_t, games_tmp_t; - type games_tmpfs_t; - ') - - roleattribute $1 games_roles; - - domtrans_pattern($2, games_exec_t, games_t) - - allow $2 games_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { games_tmp_t games_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 games_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 games_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $2 games_t:process { ptrace signal_perms }; - ps_process_pattern($2, games_t) - - stream_connect_pattern($2, games_tmpfs_t, games_tmpfs_t, games_t) - - allow games_t $2:unix_stream_socket connectto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `games_role'($*)) dnl - ') - - -######################################## -## -## Read and write games data files. -## -## -## -## Domain allowed access. -## -## -# - define(`games_rw_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `games_rw_data'($*)) dnl - - gen_require(` - type games_data_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, games_data_t, games_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `games_rw_data'($*)) dnl - ') - - -######################################## -## -## Run a game in the game domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`games_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `games_domtrans'($*)) dnl - - gen_require(` - type games_t, games_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, games_exec_t, games_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `games_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## games over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`games_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `games_dbus_chat'($*)) dnl - - gen_require(` - type games_t; - class dbus send_msg; - ') - - allow $1 games_t:dbus send_msg; - allow games_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `games_dbus_chat'($*)) dnl - ') - -## GNAT Ada95 compiler. - -######################################## -## -## Execute the ada program in the ada domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ada_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ada_domtrans'($*)) dnl - - gen_require(` - type ada_t, ada_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ada_exec_t, ada_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ada_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute ada in the ada domain, and -## allow the specified role the ada domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`ada_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ada_run'($*)) dnl - - gen_require(` - attribute_role ada_roles; - ') - - ada_domtrans($1) - roleattribute $2 ada_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ada_run'($*)) dnl - ') - -## Web server log analysis. - -######################################## -## -## Execute webalizer in the webalizer domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`webalizer_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `webalizer_domtrans'($*)) dnl - - gen_require(` - type webalizer_t, webalizer_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, webalizer_exec_t, webalizer_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `webalizer_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute webalizer in the webalizer -## domain, and allow the specified -## role the webalizer domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`webalizer_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `webalizer_run'($*)) dnl - - gen_require(` - attribute_role webalizer_roles; - ') - - webalizer_domtrans($1) - roleattribute $2 webalizer_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `webalizer_run'($*)) dnl - ') - - -######################################## -## -## Manage webalizer usage files -## -## -## -## Domain allowed to manage webalizer usage files -## -## -## -# - define(`manage_webalizer_var_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `manage_webalizer_var_lib'($*)) dnl - - gen_require(` - type webalizer_var_lib_t; - ') - - allow $1 webalizer_var_lib_t:dir manage_dir_perms; - allow $1 webalizer_var_lib_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `manage_webalizer_var_lib'($*)) dnl - ') - -## Tool for building alternate livecd for different os and policy versions. - -######################################## -## -## Execute a domain transition to run livecd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`livecd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `livecd_domtrans'($*)) dnl - - gen_require(` - type livecd_t, livecd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, livecd_exec_t, livecd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `livecd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute livecd in the livecd -## domain, and allow the specified -## role the livecd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`livecd_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `livecd_run'($*)) dnl - - gen_require(` - attribute_role livecd_roles; - ') - - livecd_domtrans($1) - roleattribute $2 livecd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `livecd_run'($*)) dnl - ') - - -######################################## -## -## Read livecd temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`livecd_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `livecd_read_tmp_files'($*)) dnl - - gen_require(` - type livecd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, livecd_tmp_t, livecd_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `livecd_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read and write livecd temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`livecd_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `livecd_rw_tmp_files'($*)) dnl - - gen_require(` - type livecd_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `livecd_rw_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read and write livecd semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`livecd_rw_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `livecd_rw_semaphores'($*)) dnl - - gen_require(` - type livecd_t; - ') - - allow $1 livecd_t:sem rw_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `livecd_rw_semaphores'($*)) dnl - ') - -## Log file analyzer for advanced statistics. - -######################################## -## -## Execute the awstats program in -## the awstats domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`awstats_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `awstats_domtrans'($*)) dnl - - gen_require(` - type awstats_t, awstats_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, awstats_exec_t, awstats_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `awstats_domtrans'($*)) dnl - ') - -## Filesystem namespacing/polyinstantiation application. - -######################################## -## -## Execute a domain transition to run seunshare. -## -## -## -## Domain allowed to transition. -## -## -# - define(`seunshare_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seunshare_domtrans'($*)) dnl - - gen_require(` - type seunshare_t, seunshare_exec_t; - ') - - domtrans_pattern($1, seunshare_exec_t, seunshare_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seunshare_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute seunshare in the seunshare domain, and -## allow the specified role the seunshare domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`seunshare_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seunshare_run'($*)) dnl - - gen_require(` - type seunshare_t; - ') - - seunshare_domtrans($1) - role $2 types seunshare_t; - - allow $1 seunshare_t:process signal_perms; - - ifdef(`hide_broken_symptoms', ` - dontaudit seunshare_t $1:tcp_socket rw_socket_perms; - dontaudit seunshare_t $1:udp_socket rw_socket_perms; - dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seunshare_run'($*)) dnl - ') - - -######################################## -## -## Role access for seunshare -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`seunshare_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seunshare_role'($*)) dnl - - gen_require(` - type seunshare_t; - ') - - role $2 types seunshare_t; - - seunshare_domtrans($1) - - ps_process_pattern($2, seunshare_t) - allow $2 seunshare_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seunshare_role'($*)) dnl - ') - -## Run .NET server and client applications on Linux. - -####################################### -## -## The role template for the mono module. -## -## -##

-## This template creates a derived domains which are used -## for mono applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`mono_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mono_role_template'($*)) dnl - - gen_require(` - attribute mono_domain; - type mono_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_mono_t, mono_domain; - domain_type($1_mono_t) - domain_entry_file($1_mono_t, mono_exec_t) - role $2 types $1_mono_t; - - domain_interactive_fd($1_mono_t) - application_type($1_mono_t) - - ######################################## - # - # Policy - # - - domtrans_pattern($3, mono_exec_t, $1_mono_t) - - allow $3 $1_mono_t:process { ptrace noatsecure signal_perms }; - ps_process_pattern($2, $1_mono_t) - - corecmd_bin_domtrans($1_mono_t, $3) - - userdom_manage_user_tmpfs_files($1_mono_t) - - optional_policy(` - fs_dontaudit_rw_tmpfs_files($1_mono_t) - - xserver_role($1_r, $1_mono_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mono_role_template'($*)) dnl - ') - - -######################################## -## -## Execute mono in the mono domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mono_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mono_domtrans'($*)) dnl - - gen_require(` - type mono_t, mono_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mono_exec_t, mono_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mono_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute mono in the mono domain, and -## allow the specified role the mono domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`mono_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mono_run'($*)) dnl - - gen_require(` - attribute_role mono_roles; - ') - - mono_domtrans($1) - roleattribute $2 mono_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mono_run'($*)) dnl - ') - - -######################################## -## -## Execute mono in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`mono_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mono_exec'($*)) dnl - - gen_require(` - type mono_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, mono_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mono_exec'($*)) dnl - ') - - -######################################## -## -## Read and write mono shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`mono_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mono_rw_shm'($*)) dnl - - gen_require(` - type mono_t; - ') - - allow $1 mono_t:shm rw_shm_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mono_rw_shm'($*)) dnl - ') - -## X Window Managers. - -####################################### -## -## The role template for the wm module. -## -## -##

-## This template creates a derived domains which are used -## for window manager applications. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`wm_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wm_role_template'($*)) dnl - - gen_require(` - attribute wm_domain; - type wm_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_wm_t, wm_domain; - userdom_user_application_domain($1_wm_t, wm_exec_t) - role $2 types $1_wm_t; - - ######################################## - # - # Policy - # - - allow $3 $1_wm_t:fd use; - - allow $1_wm_t $3:unix_stream_socket connectto; - allow $3 $1_wm_t:unix_stream_socket connectto; - - allow $3 $1_wm_t:process { ptrace signal_perms }; - ps_process_pattern($3, $1_wm_t) - - allow $1_wm_t $3:process { signull sigkill }; - - domtrans_pattern($3, wm_exec_t, $1_wm_t) - - corecmd_bin_domtrans($1_wm_t, $3) - corecmd_shell_domtrans($1_wm_t, $3) - - mls_file_read_all_levels($1_wm_t) - mls_file_write_all_levels($1_wm_t) - mls_xwin_read_all_levels($1_wm_t) - mls_xwin_write_all_levels($1_wm_t) - mls_fd_use_all_levels($1_wm_t) - - auth_use_nsswitch($1_wm_t) - - xserver_role($2, $1_wm_t) - xserver_manage_core_devices($1_wm_t) - - wm_write_pipes($1, $3) - - optional_policy(` - dbus_connect_spec_session_bus($1, $1_wm_t) - dbus_spec_session_bus_client($1, $1_wm_t) - dbus_system_bus_client($1_wm_t) - - optional_policy(` - wm_dbus_chat($1, $3) - ') - ') - - optional_policy(` - gnome_stream_connect_all_gkeyringd($1_wm_t) - ') - - optional_policy(` - policykit_run_auth($1_wm_t, $2) - policykit_signal_auth($1_wm_t) - ') - - optional_policy(` - pulseaudio_run($1_wm_t, $2) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wm_role_template'($*)) dnl - ') - - -######################################## -## -## Execute wm in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`wm_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wm_exec'($*)) dnl - - gen_require(` - type wm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, wm_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wm_exec'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## specified wm over dbus. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# - define(`wm_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wm_dbus_chat'($*)) dnl - - gen_require(` - type $1_wm_t; - class dbus send_msg; - ') - - allow $2 $1_wm_t:dbus send_msg; - allow $1_wm_t $2:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wm_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to execute -## files in temporary directories. -## -## -## -## Domain to not audit. -## -## -# - define(`wm_dontaudit_exec_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wm_dontaudit_exec_tmp_files'($*)) dnl - - gen_require(` - type wm_tmp_t; - ') - - dontaudit $1 wm_tmp_t:file exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wm_dontaudit_exec_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to execute -## files in temporary filesystems. -## -## -## -## Domain to not audit. -## -## -# - define(`wm_dontaudit_exec_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wm_dontaudit_exec_tmpfs_files'($*)) dnl - - gen_require(` - type wm_tmpfs_t; - ') - - dontaudit $1 wm_tmpfs_t:file exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wm_dontaudit_exec_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Create a domain for applications -## that are launched by the window -## manager. -## -## -##

-## Create a domain for applications that are launched by the -## window manager (implying a domain transition). Typically -## these are graphical applications that are run interactively. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-## -## -## -## Type to be used in the domain transition as the application -## domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -## -## Type to be used as the source window manager domain. -## -## -## -# - define(`wm_application_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wm_application_domain'($*)) dnl - - gen_require(` - attribute wm_domain; - ') - - userdom_user_application_domain($1, $2) - domtrans_pattern(wm_domain, $2, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wm_application_domain'($*)) dnl - ') - - -######################################## -## -## Write wm unnamed pipes. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Domain allowed access. -## -## -# - define(`wm_write_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wm_write_pipes'($*)) dnl - - gen_require(` - type $1_wm_t; - ') - - allow $2 $1_wm_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wm_write_pipes'($*)) dnl - ') - -## Chromium browser - -####################################### -## -## Role access for chromium -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`chromium_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chromium_role'($*)) dnl - - gen_require(` - type chromium_t; - type chromium_renderer_t; - type chromium_sandbox_t; - type chromium_naclhelper_t; - class dbus send_msg; - ') - - role $1 types chromium_t; - role $1 types chromium_renderer_t; - role $1 types chromium_sandbox_t; - role $1 types chromium_naclhelper_t; - - # Transition from the user domain to the derived domain - chromium_domtrans($2) - - # Allow ps to show chromium processes and allow the user to signal it - ps_process_pattern($2, chromium_t) - ps_process_pattern($2, chromium_renderer_t) - - allow $2 chromium_t:process signal_perms; - allow $2 chromium_renderer_t:process signal_perms; - allow $2 chromium_naclhelper_t:process signal_perms; - - allow chromium_sandbox_t $2:fd use; - allow chromium_naclhelper_t $2:fd use; - - allow $2 chromium_t:dbus send_msg; - allow chromium_t $2:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chromium_role'($*)) dnl - ') - - -####################################### -## -## Read-write access to Chromiums' temporary fifo files -## -## -## -## Domain allowed access -## -## -# - define(`chromium_rw_tmp_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chromium_rw_tmp_pipes'($*)) dnl - - gen_require(` - type chromium_tmp_t; - ') - - rw_fifo_files_pattern($1, chromium_tmp_t, chromium_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chromium_rw_tmp_pipes'($*)) dnl - ') - - -############################################## -## -## Automatically use the specified type for resources created in chromium's -## temporary locations -## -## -## -## Domain that creates the resource(s) -## -## -## -## -## Type of the resource created -## -## -## -## -## The name of the resource being created -## -## -# - define(`chromium_tmp_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chromium_tmp_filetrans'($*)) dnl - - gen_require(` - type chromium_tmp_t; - ') - - search_dirs_pattern($1, chromium_tmp_t, chromium_tmp_t) - filetrans_pattern($1, chromium_tmp_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chromium_tmp_filetrans'($*)) dnl - ') - - -####################################### -## -## Execute a domain transition to the chromium domain (chromium_t) -## -## -## -## Domain allowed access -## -## -# - define(`chromium_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chromium_domtrans'($*)) dnl - - gen_require(` - type chromium_t; - type chromium_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chromium_exec_t, chromium_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chromium_domtrans'($*)) dnl - ') - - -####################################### -## -## Execute chromium in the chromium domain and allow the specified role to access the chromium domain -## -## -## -## Domain allowed access -## -## -## -## -## Role allowed access -## -## -# - define(`chromium_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chromium_run'($*)) dnl - - gen_require(` - type chromium_t; - ') - - chromium_domtrans($1) - role $2 types chromium_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chromium_run'($*)) dnl - ') - -## User network interface configuration helper. - -######################################## -## -## Execute usernetctl in the usernetctl domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`usernetctl_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usernetctl_domtrans'($*)) dnl - - gen_require(` - type usernetctl_t, usernetctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, usernetctl_exec_t, usernetctl_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usernetctl_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute usernetctl in the usernetctl -## domain, and allow the specified role -## the usernetctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`usernetctl_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usernetctl_run'($*)) dnl - - gen_require(` - attribute_role usernetctl_roles; - ') - - usernetctl_domtrans($1) - roleattribute $2 usernetctl_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usernetctl_run'($*)) dnl - ') - -## Thunderbird email client. - -######################################## -## -## Role access for thunderbird. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`thunderbird_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `thunderbird_role'($*)) dnl - - gen_require(` - attribute_role thunderbird_roles; - type thunderbird_t, thunderbird_exec_t, thunderbird_home_t; - type thunderbird_tmpfs_t; - ') - - roleattribute $1 thunderbird_roles; - - domtrans_pattern($2, thunderbird_exec_t, thunderbird_t) - - stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t) - - allow thunderbird_t $2:unix_stream_socket connectto; - - allow $2 thunderbird_t:process { ptrace signal_perms }; - ps_process_pattern($2, thunderbird_t) - - allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `thunderbird_role'($*)) dnl - ') - - -######################################## -## -## Execute thunderbird in the thunderbird domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`thunderbird_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `thunderbird_domtrans'($*)) dnl - - gen_require(` - type thunderbird_t, thunderbird_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `thunderbird_domtrans'($*)) dnl - ') - -## Pulseaudio network sound server. - -######################################## -## -## Role access for pulseaudio. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`pulseaudio_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_role'($*)) dnl - - gen_require(` - attribute pulseaudio_tmpfsfile; - type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; - type pulseaudio_tmp_t; - ') - - pulseaudio_run($2, $1) - - allow $2 pulseaudio_t:process { ptrace signal_perms }; - allow $2 pulseaudio_t:fd use; - ps_process_pattern($2, pulseaudio_t) - - allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map }; - - allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow pulseaudio_t $2:unix_stream_socket connectto; - allow pulseaudio_t $2:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_role'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run pulseaudio. -## -## -## -## Domain allowed to transition. -## -## -# - define(`pulseaudio_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_domtrans'($*)) dnl - - gen_require(` - attribute pulseaudio_client; - type pulseaudio_t, pulseaudio_exec_t; - ') - - typeattribute $1 pulseaudio_client; - - corecmd_search_bin($1) - domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute pulseaudio in the pulseaudio -## domain, and allow the specified role -## the pulseaudio domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`pulseaudio_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_run'($*)) dnl - - gen_require(` - attribute_role pulseaudio_roles; - ') - - pulseaudio_domtrans($1) - roleattribute $2 pulseaudio_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_run'($*)) dnl - ') - - -######################################## -## -## Execute pulseaudio in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_exec'($*)) dnl - - gen_require(` - type pulseaudio_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, pulseaudio_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_exec'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to execute pulseaudio. -## -## -## -## Domain to not audit. -## -## -# - define(`pulseaudio_dontaudit_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_dontaudit_exec'($*)) dnl - - gen_require(` - type pulseaudio_exec_t; - ') - - dontaudit $1 pulseaudio_exec_t:file exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_dontaudit_exec'($*)) dnl - ') - - -######################################## -## -## Send null signals to pulseaudio. -## processes. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_signull'($*)) dnl - - gen_require(` - type pulseaudio_t; - ') - - allow $1 pulseaudio_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_signull'($*)) dnl - ') - - -######################################## -## -## Use file descriptors for -## pulseaudio. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_use_fds'($*)) dnl - - gen_require(` - type pulseaudio_t; - ') - - allow $1 pulseaudio_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use the -## file descriptors for pulseaudio. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_dontaudit_use_fds'($*)) dnl - - gen_require(` - type pulseaudio_t; - ') - - dontaudit $1 pulseaudio_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_dontaudit_use_fds'($*)) dnl - ') - - -##################################### -## -## Connect to pulseaudio with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_stream_connect'($*)) dnl - - gen_require(` - type pulseaudio_t, pulseaudio_runtime_t, pulseaudio_tmp_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_runtime_t }, { pulseaudio_tmp_t pulseaudio_runtime_t }, pulseaudio_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_stream_connect'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## pulseaudio over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_dbus_chat'($*)) dnl - - gen_require(` - type pulseaudio_t; - class dbus send_msg; - ') - - allow $1 pulseaudio_t:dbus send_msg; - allow pulseaudio_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Set attributes of pulseaudio home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_setattr_home_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_setattr_home_dir'($*)) dnl - - gen_require(` - type pulseaudio_home_t; - ') - - allow $1 pulseaudio_home_t:dir setattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_setattr_home_dir'($*)) dnl - ') - - -######################################## -## -## Read pulseaudio home content. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_read_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_read_home'($*)) dnl - - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 pulseaudio_home_t:dir list_dir_perms; - allow $1 pulseaudio_home_t:file read_file_perms; - allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_read_home'($*)) dnl - ') - - -######################################## -## -## Read and write Pulse Audio files. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_rw_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_rw_home_files'($*)) dnl - - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_rw_home_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## pulseaudio home content. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_manage_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_manage_home'($*)) dnl - - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 pulseaudio_home_t:dir manage_dir_perms; - allow $1 pulseaudio_home_t:file manage_file_perms; - allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_manage_home'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the pulseaudio -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`pulseaudio_home_filetrans_pulseaudio_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_home_filetrans_pulseaudio_home'($*)) dnl - - gen_require(` - type pulseaudio_home_t; - ') - - userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_home_filetrans_pulseaudio_home'($*)) dnl - ') - - -######################################## -## -## Make the specified tmpfs file type -## pulseaudio tmpfs content. -## -## -## -## File type to make pulseaudio tmpfs content. -## -## -# - define(`pulseaudio_tmpfs_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_tmpfs_content'($*)) dnl - - gen_require(` - attribute pulseaudio_tmpfsfile; - ') - - typeattribute $1 pulseaudio_tmpfsfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_tmpfs_content'($*)) dnl - ') - - -####################################### -## -## Read pulseaudio tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_read_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_read_tmpfs_files'($*)) dnl - - gen_require(` - type pulseaudio_tmpfs_t; - ') - - fs_search_tmpfs($1) - read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_read_tmpfs_files'($*)) dnl - ') - - -####################################### -## -## Read and write pulseaudio tmpfs -## files. -## -## -## -## Domain allowed access. -## -## -# - define(`pulseaudio_rw_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_rw_tmpfs_files'($*)) dnl - - gen_require(` - type pulseaudio_tmpfs_t; - ') - - fs_search_tmpfs($1) - rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_rw_tmpfs_files'($*)) dnl - ') - - -# Below are Gentoo specifics but ifdef distro_gentoo cannot be used in interfaces - -######################################## -## -## Mark the specified domain as a PulseAudio client domain -## and the related tmpfs file type as a (shared) PulseAudio tmpfs -## file type used for the shared memory access -## -## -## -## Domain to become a PulseAudio client domain -## -## -## -## -## Tmpfs type used for shared memory of the given domain -## -## -# - define(`pulseaudio_client_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pulseaudio_client_domain'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - pulseaudio_domtrans($1) - pulseaudio_tmpfs_content($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pulseaudio_client_domain'($*)) dnl - ') - -## Mplayer media player and encoder. - -######################################## -## -## Role access for mplayer -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`mplayer_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mplayer_role'($*)) dnl - - gen_require(` - attribute_role mencoder_roles, mplayer_roles; - type mencoder_t, mencoder_exec_t, mplayer_home_t; - type mplayer_t, mplayer_exec_t, mplayer_tmpfs_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 mencoder_roles; - roleattribute $1 mplayer_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, mencoder_exec_t, mencoder_t) - domtrans_pattern($2, mplayer_exec_t, mplayer_t) - - allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mplayer_t mencoder_t }) - - allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mplayer_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 mplayer_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mplayer_home_t, dir, ".mplayer") - - allow $2 mplayer_tmpfs_t:file { manage_file_perms relabel_file_perms }; - allow $2 mplayer_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 mplayer_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 mplayer_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mplayer_role'($*)) dnl - ') - - -######################################## -## -## Run mplayer in mplayer domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mplayer_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mplayer_domtrans'($*)) dnl - - gen_require(` - type mplayer_t, mplayer_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mplayer_exec_t, mplayer_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mplayer_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute mplayer in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -# - define(`mplayer_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mplayer_exec'($*)) dnl - - gen_require(` - type mplayer_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, mplayer_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mplayer_exec'($*)) dnl - ') - - -######################################## -## -## Read mplayer user home content files. -## -## -## -## Domain allowed access. -## -## -# - define(`mplayer_read_user_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mplayer_read_user_home_files'($*)) dnl - - gen_require(` - type mplayer_home_t; - ') - - userdom_search_user_home_dirs($1) - read_files_pattern($1, mplayer_home_t, mplayer_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mplayer_read_user_home_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## generic mplayer home content. -## -## -## -## Domain allowed access. -## -## -# - define(`mplayer_manage_generic_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mplayer_manage_generic_home_content'($*)) dnl - - gen_require(` - type mplayer_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mplayer_home_t:dir manage_dir_perms; - allow $1 mplayer_home_t:file manage_file_perms; - allow $1 mplayer_home_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mplayer_manage_generic_home_content'($*)) dnl - ') - - -######################################## -## -## Create specified objects in user home -## directories with the generic mplayer -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mplayer_home_filetrans_mplayer_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mplayer_home_filetrans_mplayer_home'($*)) dnl - - gen_require(` - type mplayer_home_t; - ') - - userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mplayer_home_filetrans_mplayer_home'($*)) dnl - ') - -## Lock one or more sessions on the Linux console. - -####################################### -## -## Execute vlock in the vlock domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`vlock_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vlock_domtrans'($*)) dnl - - gen_require(` - type vlock_t, vlock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vlock_exec_t, vlock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vlock_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute vlock in the vlock domain, -## and allow the specified role -## the vlock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed to access. -## -## -## -# - define(`vlock_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vlock_run'($*)) dnl - - gen_require(` - attribute_role vlock_roles; - ') - - vlock_domtrans($1) - roleattribute $2 vlock_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vlock_run'($*)) dnl - ') - -## User mode linux tools and services. - -######################################## -## -## Role access for uml. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`uml_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uml_role'($*)) dnl - - gen_require(` - attribute_role uml_roles; - type uml_t, uml_exec_t; - type uml_ro_t, uml_rw_t, uml_tmp_t; - type uml_tmpfs_t; - ') - - roleattribute $1 uml_roles; - - domtrans_pattern($2, uml_exec_t, uml_t) - - dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t) - - allow uml_t $2:unix_dgram_socket sendto; - - ps_process_pattern($2, uml_t) - allow $2 uml_t:process { ptrace signal_perms }; - - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uml_role'($*)) dnl - ') - - -######################################## -## -## Set attributes of uml pid sock files. -## -## -## -## Domain allowed access. -## -## -# - define(`uml_setattr_util_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uml_setattr_util_sockets'($*)) dnl - - gen_require(` - type uml_switch_runtime_t; - ') - - allow $1 uml_switch_runtime_t:sock_file setattr_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uml_setattr_util_sockets'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## uml pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`uml_manage_util_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uml_manage_util_files'($*)) dnl - - gen_require(` - type uml_switch_runtime_t; - ') - - manage_files_pattern($1, uml_switch_runtime_t, uml_switch_runtime_t) - manage_lnk_files_pattern($1, uml_switch_runtime_t, uml_switch_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uml_manage_util_files'($*)) dnl - ') - -## Yum/Apt Mirroring. - -######################################## -## -## Execute yam in the yam domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`yam_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `yam_domtrans'($*)) dnl - - gen_require(` - type yam_t, yam_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, yam_exec_t, yam_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `yam_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute yam in the yam domain, and -## allow the specified role the yam domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`yam_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `yam_run'($*)) dnl - - gen_require(` - attribute_role yam_roles; - ') - - yam_domtrans($1) - roleattribute $2 yam_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `yam_run'($*)) dnl - ') - - -######################################## -## -## Read yam content. -## -## -## -## Domain allowed access. -## -## -# - define(`yam_read_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `yam_read_content'($*)) dnl - - gen_require(` - type yam_content_t; - ') - - allow $1 yam_content_t:dir list_dir_perms; - read_files_pattern($1, yam_content_t, yam_content_t) - read_lnk_files_pattern($1, yam_content_t, yam_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `yam_read_content'($*)) dnl - ') - -## libmtp: An Initiatior implementation of the Media Transfer Protocol (MTP). - -########################################################### -## -## Role access for libmtp. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`libmtp_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libmtp_role'($*)) dnl - - gen_require(` - attribute_role libmtp_roles; - type libmtp_t, libmtp_exec_t; - ') - - roleattribute $1 libmtp_roles; - - domtrans_pattern($2, libmtp_exec_t, libmtp_t) - - allow $2 libmtp_t:process { ptrace signal_perms }; - ps_process_pattern($2, libmtp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libmtp_role'($*)) dnl - ') - -## A Unix manpage-to-HTML converter. -## Library for locking devices. - -######################################## -## -## Role access for lockdev. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`lockdev_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lockdev_role'($*)) dnl - - gen_require(` - attribute_role lockdev_roles; - type lockdev_t, lockdev_exec_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 lockdev_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, lockdev_exec_t, lockdev_t) - - allow $2 lockdev_t:process { ptrace signal_perms }; - ps_process_pattern($2, lockdev_t) - - allow lockdev_t $2:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lockdev_role'($*)) dnl - ') - -## Policy for GNU Privacy Guard and related programs. - -############################################################ -## -## Role access for gpg. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`gpg_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_role'($*)) dnl - - gen_require(` - attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles; - type gpg_t, gpg_exec_t, gpg_agent_t; - type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t; - type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t; - ') - - roleattribute $1 gpg_roles; - roleattribute $1 gpg_agent_roles; - roleattribute $1 gpg_helper_roles; - roleattribute $1 gpg_pinentry_roles; - - domtrans_pattern($2, gpg_exec_t, gpg_t) - domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) - - allow $2 self:process setrlimit; - allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }) - - allow gpg_pinentry_t $2:process signull; - allow gpg_helper_t $2:fd use; - allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write }; - - allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms }; - allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") - userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg") - - optional_policy(` - gpg_pinentry_dbus_chat($2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_role'($*)) dnl - ') - - -######################################## -## -## Execute the gpg in the gpg domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`gpg_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_domtrans'($*)) dnl - - gen_require(` - type gpg_t, gpg_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gpg_exec_t, gpg_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the gpg in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_exec'($*)) dnl - - gen_require(` - type gpg_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, gpg_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_exec'($*)) dnl - ') - - -######################################## -## -## Execute gpg in a specified domain. -## -## -##

-## Execute gpg in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# - define(`gpg_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_spec_domtrans'($*)) dnl - - gen_require(` - type gpg_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_transition_pattern($1, gpg_exec_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the gpg-agent in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_exec_agent',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_exec_agent'($*)) dnl - - gen_require(` - type gpg_agent_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, gpg_agent_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_exec_agent'($*)) dnl - ') - - -###################################### -## -## Make gpg executable files an -## entrypoint for the specified domain. -## -## -## -## The domain for which gpg_exec_t is an entrypoint. -## -## -# - define(`gpg_entry_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_entry_type'($*)) dnl - - gen_require(` - type gpg_exec_t; - ') - - domain_entry_file($1, gpg_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_entry_type'($*)) dnl - ') - - -######################################## -## -## Send generic signals to gpg. -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_signal'($*)) dnl - - gen_require(` - type gpg_t; - ') - - allow $1 gpg_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_signal'($*)) dnl - ') - - -######################################## -## -## Read and write gpg agent pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_rw_agent_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_rw_agent_pipes'($*)) dnl - - gen_require(` - type gpg_agent_t; - ') - - allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_rw_agent_pipes'($*)) dnl - ') - - -######################################## -## -## Connect to gpg agent socket -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_stream_connect_agent',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_stream_connect_agent'($*)) dnl - - gen_require(` - type gpg_agent_t, gpg_agent_tmp_t; - type gpg_secret_t, gpg_runtime_t; - ') - - stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) - allow $1 { gpg_secret_t gpg_runtime_t }:dir search_dir_perms; - userdom_search_user_runtime($1) - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_stream_connect_agent'($*)) dnl - ') - - -######################################## -## -## Search gpg agent dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_search_agent_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_search_agent_tmp_dirs'($*)) dnl - - gen_require(` - type gpg_agent_tmp_t; - ') - - allow $1 gpg_agent_tmp_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_search_agent_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## filetrans in gpg_agent_tmp_t dirs -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_agent_tmp_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_agent_tmp_filetrans'($*)) dnl - - gen_require(` - type gpg_agent_tmp_t; - ') - - filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_agent_tmp_filetrans'($*)) dnl - ') - - -######################################## -## -## filetrans in gpg_runtime_t dirs -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_runtime_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_runtime_filetrans'($*)) dnl - - gen_require(` - type gpg_runtime_t; - ') - - filetrans_pattern($1, gpg_runtime_t, $2, $3, $4) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_runtime_filetrans'($*)) dnl - ') - - -######################################## -## -## filetrans in gpg_secret_t dirs -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_secret_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_secret_filetrans'($*)) dnl - - gen_require(` - type gpg_secret_t; - ') - - filetrans_pattern($1, gpg_secret_t, $2, $3, $4) - allow $1 gpg_secret_t:dir search_dir_perms; - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_secret_filetrans'($*)) dnl - ') - - -######################################## -## -## Send messages to and from gpg -## pinentry over DBUS. -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_pinentry_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_pinentry_dbus_chat'($*)) dnl - - gen_require(` - type gpg_pinentry_t; - class dbus send_msg; - ') - - allow $1 gpg_pinentry_t:dbus send_msg; - allow gpg_pinentry_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_pinentry_dbus_chat'($*)) dnl - ') - - -######################################## -## -## List gpg user secrets. -## -## -## -## Domain allowed access. -## -## -# - define(`gpg_list_user_secrets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpg_list_user_secrets'($*)) dnl - - gen_require(` - type gpg_secret_t; - ') - - list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpg_list_user_secrets'($*)) dnl - ') - -## helper function for grantpt(3), changes ownship and permissions of pseudotty. - -######################################## -## -## Execute a domain transition to run ptchown. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ptchown_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ptchown_domtrans'($*)) dnl - - gen_require(` - type ptchown_t, ptchown_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ptchown_exec_t, ptchown_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ptchown_domtrans'($*)) dnl - ') - - -####################################### -## -## Execute ptchown in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`ptchown_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ptchown_exec'($*)) dnl - - gen_require(` - type ptchown_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ptchown_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ptchown_exec'($*)) dnl - ') - - -######################################## -## -## Execute ptchown in the ptchown -## domain, and allow the specified -## role the ptchown domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`ptchown_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ptchown_run'($*)) dnl - - gen_require(` - attribute_role ptchown_roles; - ') - - ptchown_domtrans($1) - roleattribute $2 ptchown_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ptchown_run'($*)) dnl - ') - -## QEMU machine emulator and virtualizer. - -####################################### -## -## The template to define a qemu domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`qemu_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_domain_template'($*)) dnl - - ############################## - # - # Declarations - # - - type $1_t; - domain_type($1_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - ############################## - # - # Policy - # - - allow $1_t self:capability { dac_override dac_read_search }; - allow $1_t self:process { execstack execmem signal getsched }; - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:tun_socket create; - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - kernel_read_system_state($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_vnc_port($1_t) - corenet_rw_tun_tap_dev($1_t) - -# dev_rw_kvm($1_t) - - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) - - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_rw_tmpfs_files($1_t) - - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) - - term_use_ptmx($1_t) - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) - - miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - - userdom_use_user_terminals($1_t) - userdom_attach_admin_tun_iface($1_t) - - optional_policy(` - samba_domtrans_smbd($1_t) - ') - - optional_policy(` - virt_manage_images($1_t) - virt_read_config($1_t) - virt_read_lib_files($1_t) - virt_attach_tun_iface($1_t) - ') - - optional_policy(` - xserver_stream_connect($1_t) - xserver_read_xdm_tmp_files($1_t) - xserver_read_xdm_pid($1_t) -# xserver_xdm_rw_shm($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_domain_template'($*)) dnl - ') - - -######################################## -## -## Role access for qemu. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`qemu_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_role'($*)) dnl - - gen_require(` - type qemu_t; - ') - - qemu_run($2, $1) - - allow $2 qemu_t:process { ptrace signal_perms }; - ps_process_pattern($2, qemu_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_role'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run qemu. -## -## -## -## Domain allowed to transition. -## -## -# - define(`qemu_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_domtrans'($*)) dnl - - gen_require(` - type qemu_t, qemu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qemu_exec_t, qemu_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a qemu in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_exec'($*)) dnl - - gen_require(` - type qemu_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, qemu_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_exec'($*)) dnl - ') - - -######################################## -## -## Execute qemu in the qemu domain, -## and allow the specified role the -## qemu domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`qemu_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_run'($*)) dnl - - gen_require(` - attribute_role qemu_roles; - ') - - qemu_domtrans($1) - roleattribute $2 qemu_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_run'($*)) dnl - ') - - -######################################## -## -## Read qemu process state files. -## -## -## -## Domain to allow access. -## -## -# - define(`qemu_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_read_state'($*)) dnl - - gen_require(` - type qemu_t; - ') - - kernel_search_proc($1) - allow $1 qemu_t:dir list_dir_perms; - allow $1 qemu_t:file read_file_perms; - allow $1 qemu_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_read_state'($*)) dnl - ') - - -######################################## -## -## Set qemu scheduler. -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_setsched',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_setsched'($*)) dnl - - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process setsched; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_setsched'($*)) dnl - ') - - -######################################## -## -## Send generic signals to qemu. -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_signal'($*)) dnl - - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_signal'($*)) dnl - ') - - -######################################## -## -## Send kill signals to qemu. -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_kill'($*)) dnl - - gen_require(` - type qemu_t; - ') - - allow $1 qemu_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_kill'($*)) dnl - ') - - -######################################## -## -## Connect to qemu with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_stream_connect'($*)) dnl - - gen_require(` - type qemu_t, qemu_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, qemu_runtime_t, qemu_runtime_t, qemu_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_stream_connect'($*)) dnl - ') - - -######################################## -## -## Unlink qemu socket -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_delete_pid_sock_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_delete_pid_sock_file'($*)) dnl - - gen_require(` - type qemu_runtime_t; - ') - - allow $1 qemu_runtime_t:sock_file unlink; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_delete_pid_sock_file'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run qemu unconfined. -## -## -## -## Domain allowed to transition. -## -## -# - define(`qemu_domtrans_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_domtrans_unconfined'($*)) dnl - - gen_require(` - type unconfined_qemu_t, qemu_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_domtrans_unconfined'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## qemu temporary directories. -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_manage_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_manage_tmp_dirs'($*)) dnl - - gen_require(` - type qemu_tmp_t; - ') - - files_search_tmp($1) - manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_manage_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## qemu temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_manage_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_manage_tmp_files'($*)) dnl - - gen_require(` - type qemu_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_manage_tmp_files'($*)) dnl - ') - - -######################################## -## -## Execute qemu in a specified domain. -## -## -##

-## Execute qemu in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# - define(`qemu_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_spec_domtrans'($*)) dnl - - gen_require(` - type qemu_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_transition_pattern($1, qemu_exec_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_spec_domtrans'($*)) dnl - ') - - -###################################### -## -## Make qemu executable files an -## entrypoint for the specified domain. -## -## -## -## The domain for which qemu_exec_t is an entrypoint. -## -## -# - define(`qemu_entry_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_entry_type'($*)) dnl - - gen_require(` - type qemu_exec_t; - ') - - domain_entry_file($1, qemu_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_entry_type'($*)) dnl - ') - - -# Gentoo specific but cannot use ifdef distro_gentoo here - -####################################### -## -## Read/write to qemu socket files in /var/run -## -## -## -## Domain allowed access. -## -## -# - define(`qemu_rw_pid_sock_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qemu_rw_pid_sock_files'($*)) dnl - - gen_require(` - type qemu_runtime_t; - ') - - allow $1 qemu_runtime_t:sock_file rw_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qemu_rw_pid_sock_files'($*)) dnl - ') - -## Wireshark packet capture tool. - -############################################################ -## -## Role access for wireshark. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`wireshark_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wireshark_role'($*)) dnl - - gen_require(` - attribute_role wireshark_roles; - type wireshark_t, wireshark_exec_t, wireshark_home_t; - type wireshark_tmp_t, wireshark_tmpfs_t; - ') - - roleattribute $1 wireshark_roles; - - domtrans_pattern($2, wireshark_exec_t, wireshark_t) - - allow $2 wireshark_t:process { ptrace signal_perms }; - ps_process_pattern($2, wireshark_t) - - allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { wireshark_home_t wireshark_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wireshark_role'($*)) dnl - ') - - -######################################## -## -## Execute wireshark in wireshark domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`wireshark_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wireshark_domtrans'($*)) dnl - - gen_require(` - type wireshark_t, wireshark_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wireshark_exec_t, wireshark_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wireshark_domtrans'($*)) dnl - ') - -## Links web browser - -####################################### -## -## The role interface for the links module. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`links_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `links_role'($*)) dnl - - gen_require(` - type links_t, links_exec_t, links_tmpfs_t, links_home_t; - ') - - ####################################### - # - # Declarations - # - - role $1 types links_t; - - ############################ - # - # Policy - # - - manage_dirs_pattern($2, links_home_t, links_home_t) - manage_files_pattern($2, links_home_t, links_home_t) - manage_lnk_files_pattern($2, links_home_t, links_home_t) - - relabel_dirs_pattern($2, links_home_t, links_home_t) - relabel_files_pattern($2, links_home_t, links_home_t) - relabel_lnk_files_pattern($2, links_home_t, links_home_t) - - domtrans_pattern($2, links_exec_t, links_t) - - ps_process_pattern($2, links_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `links_role'($*)) dnl - ') - -## PHP FastCGI Process Manager - -################################################# -## -## Administrate a phpfpm environment -## -## -## -## Domain allowed access -## -## -# - define(`phpfpm_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `phpfpm_admin'($*)) dnl - - gen_require(` - type phpfpm_t; - type phpfpm_log_t, phpfpm_tmp_t, phpfpm_runtime_t; - ') - - allow $1 phpfpm_t:process { ptrace signal_perms }; - ps_process_pattern($1, phpfpm_t) - - logging_list_logs($1) - admin_pattern($1, phpfpm_log_t) - - files_list_tmp($1) - admin_pattern($1, phpfpm_tmp_t) - - files_list_pids($1) - admin_pattern($1, phpfpm_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `phpfpm_admin'($*)) dnl - ') - - -######################################## -## -## Connect to phpfpm using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -## -# - define(`phpfpm_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `phpfpm_stream_connect'($*)) dnl - - gen_require(` - type phpfpm_t, phpfpm_runtime_t; - ') - stream_connect_pattern($1, phpfpm_runtime_t, phpfpm_runtime_t, phpfpm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `phpfpm_stream_connect'($*)) dnl - ') - -## policy for dirsrv -# -# Provided by the 389-ds-base package - -######################################## -## -## Execute a domain transition to run dirsrv. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dirsrv_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_domtrans'($*)) dnl - - gen_require(` - type dirsrv_t, dirsrv_exec_t; - ') - - domain_auto_transition_pattern($1, dirsrv_exec_t, dirsrv_t) - - allow dirsrv_t $1:fd use; - allow dirsrv_t $1:fifo_file rw_file_perms; - allow dirsrv_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_domtrans'($*)) dnl - ') - - - -######################################## -## -## Allow caller to signal dirsrv. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_signal'($*)) dnl - - gen_require(` - type dirsrv_t; - ') - - allow $1 dirsrv_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_signal'($*)) dnl - ') - - - -######################################## -## -## Send a null signal to dirsrv. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_signull'($*)) dnl - - gen_require(` - type dirsrv_t; - ') - - allow $1 dirsrv_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_signull'($*)) dnl - ') - - -####################################### -## -## Allow a domain to manage dirsrv logs. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_manage_log'($*)) dnl - - gen_require(` - type dirsrv_var_log_t; - ') - - allow $1 dirsrv_var_log_t:dir manage_dir_perms; - allow $1 dirsrv_var_log_t:file manage_file_perms; - allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_manage_log'($*)) dnl - ') - - -####################################### -## -## Allow a domain to manage dirsrv /var/lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_manage_var_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_manage_var_lib'($*)) dnl - - gen_require(` - type dirsrv_var_lib_t; - ') - allow $1 dirsrv_var_lib_t:dir manage_dir_perms; - allow $1 dirsrv_var_lib_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_manage_var_lib'($*)) dnl - ') - - -####################################### -## -## Allow a domain to manage dirsrv /var/run files. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_manage_var_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_manage_var_run'($*)) dnl - - gen_require(` - type dirsrv_runtime_t; - ') - allow $1 dirsrv_runtime_t:dir manage_dir_perms; - allow $1 dirsrv_runtime_t:file manage_file_perms; - allow $1 dirsrv_runtime_t:sock_file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_manage_var_run'($*)) dnl - ') - - -###################################### -## -## Allow a domain to create dirsrv pid directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_pid_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_pid_filetrans'($*)) dnl - - gen_require(` - type dirsrv_runtime_t; - ') - # Allow creating a dir in /var/run with this type - files_pid_filetrans($1, dirsrv_runtime_t, dir) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_pid_filetrans'($*)) dnl - ') - - -####################################### -## -## Allow a domain to read dirsrv /var/run files. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_read_var_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_read_var_run'($*)) dnl - - gen_require(` - type dirsrv_runtime_t; - ') - allow $1 dirsrv_runtime_t:dir list_dir_perms; - allow $1 dirsrv_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_read_var_run'($*)) dnl - ') - - -######################################## -## -## Manage dirsrv configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_manage_config'($*)) dnl - - gen_require(` - type dirsrv_config_t; - ') - - allow $1 dirsrv_config_t:dir manage_dir_perms; - allow $1 dirsrv_config_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_manage_config'($*)) dnl - ') - - -######################################## -## -## Read dirsrv share files. -## -## -## -## Domain allowed access. -## -## -# - define(`dirsrv_read_share',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirsrv_read_share'($*)) dnl - - gen_require(` - type dirsrv_share_t; - ') - - allow $1 dirsrv_share_t:dir list_dir_perms; - allow $1 dirsrv_share_t:file read_file_perms; - allow $1 dirsrv_share_t:lnk_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirsrv_read_share'($*)) dnl - ') - -## Log file monitoring tool - -####################################### -## -## All of the rules required to administrate -## a logsentry environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# - define(`logsentry_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logsentry_admin'($*)) dnl - - gen_require(` - type logsentry_t, logsentry_etc_t, logsentry_tmp_t, logsentry_filter_t; - ') - - allow $1 logsentry_t:process { ptrace signal_perms }; - ps_process_pattern($1, logsentry_t) - - files_list_etc($1) - admin_pattern($1, logsentry_etc_t) - admin_pattern($1, logsentry_filter_t) - - files_list_tmp($1) - admin_pattern($1, logsentry_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logsentry_admin'($*)) dnl - ') - -## Ceph distributed object storage - -######################################### -## -## Create the individual Ceph domains -## -## -## -## The daemon (osd, mds or mon) for which the rules are created -## -## -# - define(`ceph_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ceph_domain_template'($*)) dnl - - gen_require(` - attribute cephdomain; - attribute cephdata; - attribute cephpidfile; - attribute_role ceph_roles; - - type ceph_runtime_t; - ') - - type ceph_$1_t, cephdomain; - type ceph_$1_exec_t; - init_system_domain(ceph_$1_t, ceph_$1_exec_t) - role ceph_roles types ceph_$1_t; - - type ceph_$1_data_t, cephdata; - files_type(ceph_$1_data_t) - - type ceph_$1_runtime_t, cephpidfile; - typealias ceph_$1_runtime_t alias ceph_$1_var_run_t; - files_pid_file(ceph_$1_runtime_t) - - ######################################## - # - # Local policy - # - # Rules which cannot be made part of the domain - - allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms; - allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_file_perms; - allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms; - allow ceph_$1_t ceph_$1_data_t:file manage_file_perms; - - filetrans_pattern(ceph_$1_t, ceph_runtime_t, ceph_$1_runtime_t, { file sock_file }) - - files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir }) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ceph_domain_template'($*)) dnl - ') - - -######################################### -## -## Administrative access for Ceph -## -## -## -## Domain allowed access -## -## -## -## -## Domain allowed access -## -## -# - define(`ceph_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ceph_admin'($*)) dnl - - gen_require(` - attribute cephdomain, cephdata; - type ceph_initrc_exec_t, ceph_log_t; - type ceph_conf_t, ceph_key_t; - ') - - allow $1 cephdomain:process { ptrace signal_perms }; - ps_process_pattern($1, cephdomain) - - init_startstop_service($1, $2, cephdomain, ceph_initrc_exec_t) - allow $1 ceph_initrc_exec_t:lnk_file read_lnk_file_perms; - allow $1 ceph_initrc_exec_t:file read_file_perms; - - files_list_etc($1) - admin_pattern($1, ceph_conf_t) - admin_pattern($1, ceph_key_t) - - admin_pattern($1, cephdata) - - admin_pattern($1, ceph_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ceph_admin'($*)) dnl - ') - - -######################################### -## -## Read Ceph key files -## -## -## -## Domain allowed access -## -## -# - define(`ceph_read_key',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ceph_read_key'($*)) dnl - - gen_require(` - type ceph_key_t; - ') - - allow $1 ceph_key_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ceph_read_key'($*)) dnl - ') - -## rtorrent torrent client - -####################################### -## -## Role access for rtorrent -## -## -## -## The role associated with the user domain. -## -## -## -## -## The user domain. -## -## -# - define(`rtorrent_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rtorrent_role'($*)) dnl - - gen_require(` - type rtorrent_t, rtorrent_exec_t, rtorrent_home_t, rtorrent_session_t; - ') - - role $1 types rtorrent_t; - - domtrans_pattern($2, rtorrent_exec_t, rtorrent_t) - - allow $2 rtorrent_t:process signal_perms; - - manage_files_pattern($2, rtorrent_home_t, rtorrent_home_t) - - manage_files_pattern($2, rtorrent_session_t, rtorrent_session_t) - manage_dirs_pattern($2, rtorrent_session_t, rtorrent_session_t) - - ps_process_pattern($2, rtorrent_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rtorrent_role'($*)) dnl - ') - - -####################################### -## -## Administer the rtorrent application. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# - define(`rtorrent_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rtorrent_admin'($*)) dnl - - gen_require(` - type rtorrent_t; - ') - - allow $1 rtorrent_t:process ptrace; - - rtorrent_role($2, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rtorrent_admin'($*)) dnl - ') - -## Dropbox client - Store, Sync and Share Files Online - -####################################### -## -## The role for using the dropbox client. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The user domain. -## -## -# - define(`dropbox_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dropbox_role'($*)) dnl - - gen_require(` - type dropbox_t; - type dropbox_exec_t; - type dropbox_home_t; - type dropbox_tmp_t; - ') - - role $1 types dropbox_t; - - domtrans_pattern($2, dropbox_exec_t, dropbox_t) - - allow $2 dropbox_t:process { ptrace signal_perms }; - - manage_dirs_pattern($2, dropbox_home_t, dropbox_home_t) - manage_files_pattern($2, dropbox_home_t, dropbox_home_t) - manage_sock_files_pattern($2, dropbox_home_t, dropbox_home_t) - - manage_files_pattern($2, dropbox_home_t, dropbox_exec_t) - manage_lnk_files_pattern($2, dropbox_home_t, dropbox_exec_t) - - userdom_user_home_dir_filetrans($2, dropbox_home_t, dir, ".dropbox-dist") - filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropbox") - filetrans_pattern($2, dropbox_home_t, dropbox_exec_t, file, "dropboxd") - - manage_dirs_pattern($2, dropbox_tmp_t, dropbox_tmp_t) - manage_files_pattern($2, dropbox_tmp_t, dropbox_tmp_t) - - allow $2 dropbox_content_t:dir relabel_dir_perms; - allow $2 dropbox_content_t:file relabel_file_perms; - - dropbox_manage_content($2) - dropbox_dbus_chat($2) - - ps_process_pattern($2, dropbox_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dropbox_role'($*)) dnl - ') - - -######################################### -## -## Send and receive messages from the dropbox daemon -## over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`dropbox_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dropbox_dbus_chat'($*)) dnl - - gen_require(` - type dropbox_t; - class dbus send_msg; - ') - - allow $1 dropbox_t:dbus send_msg; - allow dropbox_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dropbox_dbus_chat'($*)) dnl - ') - - -####################################### -## -## Allow other domains to read dropbox's content files -## -## -## -## The domain that is allowed read access to the dropbox_content_t files -## -## -# - define(`dropbox_read_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dropbox_read_content'($*)) dnl - - gen_require(` - type dropbox_content_t; - ') - - list_dirs_pattern($1, dropbox_content_t, dropbox_content_t) - read_files_pattern($1, dropbox_content_t, dropbox_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dropbox_read_content'($*)) dnl - ') - - -####################################### -## -## Allow other domains to manage dropbox's content files -## -## -## -## The domain that is allowed to manage the dropbox_content_t files and directories -## -## -# - define(`dropbox_manage_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dropbox_manage_content'($*)) dnl - - gen_require(` - type dropbox_content_t; - ') - - manage_dirs_pattern($1, dropbox_content_t, dropbox_content_t) - manage_files_pattern($1, dropbox_content_t, dropbox_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dropbox_manage_content'($*)) dnl - ') - - -## Policy for gorg - -####################################### -## -## Role access for gorg -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`gorg_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gorg_role'($*)) dnl - - gen_require(` - type gorg_t, gorg_exec_t; - ') - - role $1 types gorg_t; - - domain_auto_transition_pattern($2, gorg_exec_t, gorg_t) - allow $2 gorg_t:process { noatsecure siginh rlimitinh }; - allow gorg_t $2:fd use; - allow gorg_t $2:process { sigchld signull }; - - ps_process_pattern($2, gorg_t) - allow $2 gorg_t:process signal_perms; - # Needed for command-usage (pipe) - allow gorg_t $2:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gorg_role'($*)) dnl - ') - -## uWSGI server for Python web applications - -######################################## -## -## Connect to uwsgi using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`uwsgi_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uwsgi_stream_connect'($*)) dnl - - gen_require(` - type uwsgi_t, uwsgi_run_t; - ') - - files_search_pids($1) - list_dirs_pattern($1, uwsgi_run_t, uwsgi_run_t) - stream_connect_pattern($1, uwsgi_run_t, uwsgi_run_t, uwsgi_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uwsgi_stream_connect'($*)) dnl - ') - - -######################################## -## -## Manage uwsgi content. -## -## -## -## Domain allowed access. -## -## -# - define(`uwsgi_manage_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uwsgi_manage_content'($*)) dnl - - gen_require(` - type uwsgi_content_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, uwsgi_content_t, uwsgi_content_t) - manage_files_pattern($1, uwsgi_content_t, uwsgi_content_t) - manage_lnk_files_pattern($1, uwsgi_content_t, uwsgi_content_t) - - manage_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t) - manage_lnk_files_pattern($1, uwsgi_content_exec_t, uwsgi_content_exec_t) - - optional_policy(` - apache_manage_sys_content($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uwsgi_manage_content'($*)) dnl - ') - - -######################################## -## -## Execute uwsgi in the uwsgi domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`uwsgi_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uwsgi_domtrans'($*)) dnl - - gen_require(` - type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, uwsgi_exec_t, uwsgi_t) - domtrans_pattern($1, uwsgi_content_exec_t, uwsgi_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uwsgi_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute uwsgi in the callers domain. -## -## -## -## Domain allowed access. -## -## -# - define(`uwsgi_content_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uwsgi_content_exec'($*)) dnl - - gen_require(` - type uwsgi_t, uwsgi_exec_t, uwsgi_content_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, uwsgi_content_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uwsgi_content_exec'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate a uWSGI environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`uwsgi_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uwsgi_admin'($*)) dnl - - gen_require(` - type uwsgi_t, uwsgi_exec_t, uwsgi_conf_t; - type uwsgi_run_t, uwsgi_var_log_t, uwsgi_tmp_t; - type uwsgi_content_t, uwsgi_content_exec_t; - ') - - allow $1 uwsgi_t:process { ptrace signal_perms }; - ps_process_pattern($1, uwsgi_t) - - files_search_etc($1) - admin_pattern($1, { uwsgi_conf_t uwsgi_exec_t }) - - files_search_var($1) - admin_pattern($1, { uwsgi_content_t uwsgi_content_exec_t }) - - logging_search_logs($1) - admin_pattern($1, { uwsgi_var_log_t }) - - files_search_pids($1) - admin_pattern($1, uwsgi_run_t) - - files_search_tmp($1) - admin_pattern($1, uwsgi_tmp_t) - - corecmd_search_bin($1) - domtrans_pattern($1, uwsgi_exec_t, uwsgi_t) - can_exec($1, uwsgi_content_exec_t) - - optional_policy(` - apache_manage_sys_content($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uwsgi_admin'($*)) dnl - ') - -## Mutt e-mail client - -####################################### -## -## The role for using the mutt application. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The user domain. -## -## -# - define(`mutt_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mutt_role'($*)) dnl - - gen_require(` - type mutt_t, mutt_exec_t, mutt_home_t, mutt_conf_t, mutt_etc_t; - type mutt_tmp_t; - ') - - role $1 types mutt_t; - - domtrans_pattern($2, mutt_exec_t, mutt_t) - - allow $2 mutt_t:process { ptrace signal_perms }; - - manage_dirs_pattern($2, mutt_home_t, mutt_home_t) - manage_files_pattern($2, mutt_home_t, mutt_home_t) - - manage_dirs_pattern($2, mutt_conf_t, mutt_conf_t) - manage_files_pattern($2, mutt_conf_t, mutt_conf_t) - - relabel_dirs_pattern($2, mutt_home_t, mutt_home_t) - relabel_files_pattern($2, mutt_home_t, mutt_home_t) - - relabel_dirs_pattern($2, mutt_conf_t, mutt_conf_t) - relabel_files_pattern($2, mutt_conf_t, mutt_conf_t) - - relabel_dirs_pattern($2, mutt_tmp_t, mutt_tmp_t) - relabel_files_pattern($2, mutt_tmp_t, mutt_tmp_t) - - ps_process_pattern($2, mutt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mutt_role'($*)) dnl - ') - - -####################################### -## -## Allow other domains to read mutt's home files -## -## -## -## The domain that is allowed read access to the mutt_home_t files -## -## -# - define(`mutt_read_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mutt_read_home_files'($*)) dnl - - gen_require(` - type mutt_home_t; - ') - - read_files_pattern($1, mutt_home_t, mutt_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mutt_read_home_files'($*)) dnl - ') - - -####################################### -## -## Allow other domains to read mutt's temporary files -## -## -## -## The domain that is allowed read access to the temporary files -## -## -# - define(`mutt_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mutt_read_tmp_files'($*)) dnl - - gen_require(` - type mutt_tmp_t; - ') - - read_files_pattern($1, mutt_tmp_t, mutt_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mutt_read_tmp_files'($*)) dnl - ') - - -####################################### -## -## Allow other domains to handle mutt's temporary files (used for instance -## for e-mail drafts) -## -## -## -## The domain that is allowed read/write access to the temporary files -## -## -# - define(`mutt_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mutt_rw_tmp_files'($*)) dnl - - gen_require(` - type mutt_tmp_t; - ') - - # The use of rw_files_pattern here is not needed, since this incurs the open privilege as well - allow $1 mutt_tmp_t:dir search_dir_perms; - allow $1 mutt_tmp_t:file { read write }; - files_search_tmp($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mutt_rw_tmp_files'($*)) dnl - ') - -## Dracut initramfs creation tool - -######################################## -## -## Execute the dracut program in the dracut domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dracut_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dracut_domtrans'($*)) dnl - - gen_require(` - type dracut_t, dracut_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dracut_exec_t, dracut_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dracut_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute dracut in the dracut domain, and -## allow the specified role the dracut domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`dracut_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dracut_run'($*)) dnl - - gen_require(` - type dracut_t; - ') - - dracut_domtrans($1) - role $2 types dracut_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dracut_run'($*)) dnl - ') - - -######################################## -## -## Read/write dracut temporary files -## -## -## -## Domain allowed access. -## -## -# - define(`dracut_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dracut_rw_tmp_files'($*)) dnl - - gen_require(` - type dracut_tmp_t; - ') - - files_search_var($1) - files_search_tmp($1) - - rw_files_pattern($1, dracut_tmp_t, dracut_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dracut_rw_tmp_files'($*)) dnl - ') - - -## Infrastructure management toolset - -######################################### -## -## All the rules required to administer a salt master environment -## -## -## -## Domain allowed access -## -## -## -## -## Role allowed access -## -## -# - define(`salt_admin_master',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `salt_admin_master'($*)) dnl - - gen_require(` - type salt_master_t; - type salt_master_initrc_exec_t; - type salt_master_exec_t; - type salt_etc_t; - type salt_runtime_t; - type salt_master_runtime_t; - attribute_role salt_master_roles; - ') - - allow $1 salt_master_t:process { ptrace signal_perms }; - ps_process_pattern($1, salt_master_t) - - init_startstop_service($1, $2, salt_master_t, salt_master_initrc_exec_t) - - # for debugging? - role_transition $2 salt_master_exec_t system_r; - domtrans_pattern($1, salt_master_exec_t, salt_master_t) - - roleattribute $2 salt_master_roles; - - files_list_etc($1) - admin_pattern($1, salt_etc_t, salt_etc_t) - - allow $1 salt_runtime_t:dir search_dir_perms; - stream_connect_pattern($1, salt_master_runtime_t, salt_master_runtime_t, salt_master_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `salt_admin_master'($*)) dnl - ') - - -######################################### -## -## All the rules required to administer a salt minion environment -## -## -## -## Domain allowed access -## -## -## -## -## Role allowed access -## -## -# - define(`salt_admin_minion',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `salt_admin_minion'($*)) dnl - - gen_require(` - type salt_minion_t; - type salt_minion_initrc_exec_t; - type salt_minion_exec_t; - type salt_etc_t; - attribute_role salt_minion_roles; - ') - - allow $1 salt_minion_t:process { ptrace signal_perms }; - ps_process_pattern($1, salt_minion_t) - - init_startstop_service($1, $2, salt_minion_t, salt_minion_initrc_exec_t) - - # for debugging - role_transition $2 salt_minion_exec_t system_r; - domtrans_pattern($1, salt_minion_exec_t, salt_minion_t) - - roleattribute $2 salt_minion_roles; - - files_list_etc($1) - admin_pattern($1, salt_etc_t, salt_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `salt_admin_minion'($*)) dnl - ') - -## policy for kdeconnect - -######################################## -## -## Execute kdeconnect in the kdeconnect domin. -## -## -## -## Domain allowed to transition. -## -## -# - define(`kdeconnect_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdeconnect_domtrans'($*)) dnl - - gen_require(` - type kdeconnect_t, kdeconnect_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kdeconnect_exec_t, kdeconnect_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdeconnect_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute kdeconnect in the kdeconnect domain, and -## allow the specified role the kdeconnect domain. -## -## -## -## Domain allowed to transition -## -## -## -## -## The role to be allowed the kdeconnect domain. -## -## -# - define(`kdeconnect_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdeconnect_run'($*)) dnl - - gen_require(` - type kdeconnect_t; - ') - - kdeconnect_domtrans($1) - role $2 types kdeconnect_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdeconnect_run'($*)) dnl - ') - - -######################################## -## -## Role access for kdeconnect -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`kdeconnect_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdeconnect_role'($*)) dnl - - gen_require(` - type kdeconnect_t; - ') - - role $1 types kdeconnect_t; - - kdeconnect_domtrans($2) - - allow $2 kdeconnect_t:unix_stream_socket connectto; - allow kdeconnect_t $2:unix_stream_socket { read write connectto }; - - ps_process_pattern($2, kdeconnect_t) - allow $2 kdeconnect_t:process { signull signal sigkill }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdeconnect_role'($*)) dnl - ') - - -######################################### -## -## Send and receive messages from the kdeconnect daemon -## over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`kdeconnect_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kdeconnect_dbus_chat'($*)) dnl - - gen_require(` - type kdeconnect_t; - class dbus send_msg; - ') - - allow $1 kdeconnect_t:dbus send_msg; - allow kdeconnect_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kdeconnect_dbus_chat'($*)) dnl - ') - -## Android development tools - adb, fastboot, android studio - -####################################### -## -## The role for using the android tools. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The user domain. -## -## -# - define(`android_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `android_role'($*)) dnl - - gen_require(` - type android_tools_t; - type android_tools_exec_t; - type android_home_t; - type android_tmp_t; - type android_java_t; - type android_java_exec_t; - type android_sdk_t; - ') - - role $1 types android_tools_t; - role $1 types android_java_t; - - domtrans_pattern($2, android_tools_exec_t, android_tools_t) - domtrans_pattern($2, android_java_exec_t, android_java_t) - - allow $2 android_tools_t:process { ptrace signal_perms }; - allow $2 android_java_t:process { ptrace signal_perms noatsecure siginh rlimitinh }; - - manage_dirs_pattern($2, android_home_t, android_home_t) - manage_files_pattern($2, android_home_t, android_home_t) - manage_lnk_files_pattern($2, android_home_t, android_home_t) - - list_dirs_pattern($2, android_sdk_t, android_sdk_t) - read_files_pattern($2, android_sdk_t, android_sdk_t) - read_lnk_files_pattern($2, android_sdk_t, android_sdk_t) - - userdom_user_home_dir_filetrans($2, android_home_t, dir, ".android") - userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudioBeta") - userdom_user_home_dir_filetrans($2, android_home_t, dir, ".AndroidStudio") - - manage_dirs_pattern($2, android_tmp_t, android_tmp_t) - manage_files_pattern($2, android_tmp_t, android_tmp_t) - - allow $2 android_home_t:dir relabel_dir_perms; - allow $2 android_home_t:file relabel_file_perms; - allow $2 android_tools_exec_t:file relabel_file_perms; - - ps_process_pattern($2, android_tools_t) - ps_process_pattern($2, android_java_t) - - android_dbus_chat($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `android_role'($*)) dnl - ') - - -######################################### -## -## Execute the android tools commands in the -## android tools domain. -## -## -## -## Domain allowed access. -## -## - - define(`android_tools_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `android_tools_domtrans'($*)) dnl - - gen_require(` - type android_tools_t; - type android_tools_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, android_tools_exec_t, android_tools_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `android_tools_domtrans'($*)) dnl - ') - - -######################################### -## -## Send and receive messages from the android java -## domain over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`android_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `android_dbus_chat'($*)) dnl - - gen_require(` - type android_java_t; - class dbus send_msg; - ') - - allow $1 android_java_t:dbus send_msg; - allow android_java_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `android_dbus_chat'($*)) dnl - ') - -## OpenResolv network configuration management - -######################################### -## -## Mark the domain as a resolvconf client, automatically granting -## the necessary privileges (execute resolvconf and type access). -## -## -## -## Domain to mark as a resolvconf client -## -## -# - define(`resolvconf_client_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `resolvconf_client_domain'($*)) dnl - - gen_require(` - attribute resolvconf_client; - ') - - typeattribute $1 resolvconf_client; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `resolvconf_client_domain'($*)) dnl - ') - - -######################################### -## -## Assign the proper permissions to the domain, such as -## executing resolvconf and accessing its types. -## -## -## -## Domain to assign proper permissions to -## -## -# - define(`resolvconf_client_domain_privs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `resolvconf_client_domain_privs'($*)) dnl - - resolvconf_domtrans($1) - resolvconf_generic_run_filetrans_run($1, dir, "resolvconf") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `resolvconf_client_domain_privs'($*)) dnl - ') - - -######################################### -## -## Execute resolvconf and transition to the resolvconf_t domain -## -## -## -## Domain allowed to transition -## -## -# - define(`resolvconf_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `resolvconf_domtrans'($*)) dnl - - gen_require(` - type resolvconf_t; - type resolvconf_exec_t; - ') - - domtrans_pattern($1, resolvconf_exec_t, resolvconf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `resolvconf_domtrans'($*)) dnl - ') - - -######################################### -## -## Execute resolvconf in the calling domain (no transition) -## -## -## -## Domain allowed to execute -## -## -# - define(`resolvconf_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `resolvconf_exec'($*)) dnl - - gen_require(` - type resolvconf_exec_t; - ') - - can_exec($1, resolvconf_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `resolvconf_exec'($*)) dnl - ') - - -######################################### -## -## Transition to resolvconf_run_t when creating resources -## inside the generic run directory -## -## -## -## Domain allowed access -## -## -## -## -## Class on which a file transition has to occur -## -## -## -## -## Name of the resource on which a file transition has to occur -## -## -# - define(`resolvconf_generic_run_filetrans_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `resolvconf_generic_run_filetrans_run'($*)) dnl - - gen_require(` - type resolvconf_runtime_t; - ') - - files_pid_filetrans($1, resolvconf_runtime_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `resolvconf_generic_run_filetrans_run'($*)) dnl - ') - -## -## Flash player -## - -##################################### -## -## Manage the Flash player home files -## -## -## -## Domain allowed access -## -## -# - define(`flash_manage_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `flash_manage_home'($*)) dnl - - gen_require(` - type flash_home_t; - ') - - manage_files_pattern($1, flash_home_t, flash_home_t) - manage_dirs_pattern($1, flash_home_t, flash_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `flash_manage_home'($*)) dnl - ') - -#################################### -## -## Relabel the flash home resources -## -## -## -## Domain allowed access -## -## -# - define(`flash_relabel_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `flash_relabel_home'($*)) dnl - - gen_require(` - type flash_home_t; - ') - - relabel_files_pattern($1, flash_home_t, flash_home_t) - relabel_dirs_pattern($1, flash_home_t, flash_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `flash_relabel_home'($*)) dnl - ') - -## -## Google Talk -## - -########################################## -## -## Grant the plugin domain the needed privileges to launch and -## interact with the GoogleTalk application. Used for web browser -## plugin domains. -## -## -## -## Domain allowed access -## -## -# - define(`googletalk_plugin_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `googletalk_plugin_domain'($*)) dnl - - gen_require(` - type googletalk_plugin_t; - type googletalk_plugin_xdg_config_t; - ') - - allow $1 googletalk_plugin_t:fd use; - allow $1 googletalk_plugin_t:unix_stream_socket { read write }; - - allow googletalk_plugin_t $1:unix_dgram_socket sendto; - - # GoogleTalk process binds on an unreserved port, the client (plugin) - # then connects to this port - corenet_tcp_connect_all_unreserved_ports($1) - - googletalk_domtrans_plugin($1) - - # Create .config/google-googletalkplugin with correct type - manage_dirs_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t) - manage_files_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t) - xdg_config_home_filetrans($1, googletalk_plugin_xdg_config_t, dir, "google-googletalkplugin") - xdg_search_config_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `googletalk_plugin_domain'($*)) dnl - ') - - -####################################### -## -## Execute Google talk plugin in the Google talk plugin domain -## -## -## -## Domain allowed to transition -## -## -# - define(`googletalk_domtrans_plugin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `googletalk_domtrans_plugin'($*)) dnl - - gen_require(` - type googletalk_plugin_t, googletalk_plugin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, googletalk_plugin_exec_t, googletalk_plugin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `googletalk_domtrans_plugin'($*)) dnl - ') - - -####################################### -## -## Execute Google talk plugin in the Google talk plugin domain, -## and allow the specified role the google talk plugin domain. -## -## -## -## Domain allowed to transition -## -## -## -## -## Role allowed access -## -## -# - define(`googletalk_run_plugin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `googletalk_run_plugin'($*)) dnl - - gen_require(` - type googletalk_plugin_t; - ') - - googletalk_domtrans_plugin($1) - role $2 types googletalk_plugin_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `googletalk_run_plugin'($*)) dnl - ') - - -######################################## -## -## Use the file descriptor of googletalk plugin -## -## -## -## Domain allowed access -## -## -# - define(`googletalk_use_plugin_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `googletalk_use_plugin_fds'($*)) dnl - - gen_require(` - type googletalk_plugin_t; - ') - - allow $1 googletalk_plugin_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `googletalk_use_plugin_fds'($*)) dnl - ') - - -######################################## -## -## Read and write to the google talk plugin inherited stream sockets -## -## -## -## Domain allowed access -## -## -# - define(`googletalk_rw_inherited_plugin_unix_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `googletalk_rw_inherited_plugin_unix_stream_sockets'($*)) dnl - - gen_require(` - type googletalk_plugin_t; - ') - - allow $1 googletalk_plugin_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `googletalk_rw_inherited_plugin_unix_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Create objects in the xdg config home location -## with an automatic type transition to the googletalk -## plugin xdg config home type -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the file or directory created -## -## -# - define(`googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config'($*)) dnl - - gen_require(` - type googletalk_plugin_xdg_config_t; - ') - - xdg_config_home_filetrans($1, googletalk_plugin_xdg_config_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `googletalk_generic_xdg_config_home_filetrans_plugin_xdg_config'($*)) dnl - ') - - -####################################### -## -## Manage google talk plugin xdg configuration -## -## -## -## Domain allowed access -## -## -# - define(`googletalk_manage_plugin_xdg_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `googletalk_manage_plugin_xdg_config'($*)) dnl - - gen_require(` - type googletalk_plugin_xdg_config_t; - ') - - manage_dirs_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t) - manage_files_pattern($1, googletalk_plugin_xdg_config_t, googletalk_plugin_xdg_config_t) - - xdg_search_config_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `googletalk_manage_plugin_xdg_config'($*)) dnl - ') - -## At daemon for running a task a single time - -######################################## -## -## Role access for at -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`at_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `at_role'($*)) dnl - - gen_require(` - type at_exec_t; - type at_t; - type atd_t; - type at_job_log_t; - type at_job_t; - ') - - ############################## - # - # Declarations - # - - role $1 types at_t; - - ############################## - # - # Local policy - # - - domtrans_pattern($2, at_exec_t, at_t) - - allow $2 at_t:process signal_perms; - - ps_process_pattern($2, at_t) - - allow atd_t $2:process transition; - allow atd_t $2:fd use; - allow atd_t $2:key manage_key_perms; - dontaudit atd_t $2:process { noatsecure siginh rlimitinh }; - - allow $2 atd_t:process sigchld; - allow $2 atd_t:fd use; - - allow $2 at_job_t:file read_inherited_file_perms; - allow $2 at_job_log_t:file rw_inherited_file_perms; - - corecmd_shell_entry_type($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `at_role'($*)) dnl - ') - - -######################################## -## -## Read from and write to the the inherited atd -## joblog file -## -## -## -## Domain allowed access -## -## -# - define(`at_rw_inherited_job_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `at_rw_inherited_job_log_files'($*)) dnl - - gen_require(` - type at_job_log_t; - ') - - allow $1 at_job_log_t:file rw_inherited_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `at_rw_inherited_job_log_files'($*)) dnl - ') - -## Subsonic Music Streaming Server -## Pan news reader client - -######################################## -## -## Role access for pan -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`pan_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pan_role'($*)) dnl - - gen_require(` - type pan_t, pan_exec_t, pan_home_t; - ') - role $1 types pan_t; - - allow $2 pan_t:process signal_perms; - - domtrans_pattern($2, pan_exec_t, pan_t) - - ps_process_pattern($2, pan_t) - - manage_dirs_pattern($2, pan_home_t, pan_home_t) - manage_files_pattern($2, pan_home_t, pan_home_t) - manage_lnk_files_pattern($2, pan_home_t, pan_home_t) - - relabel_dirs_pattern($2, pan_home_t, pan_home_t) - relabel_files_pattern($2, pan_home_t, pan_home_t) - relabel_lnk_files_pattern($2, pan_home_t, pan_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pan_role'($*)) dnl - ') - - -############################################################################### -# SELinux module for the NGINX Web Server -# -# Project Contact Information: -# Stuart Cianos -# Email: scianos@alphavida.com -# -############################################################################### -# (C) Copyright 2009 by Stuart Cianos, d/b/a AlphaVida. All Rights Reserved. -# -# -# Stuart Cianos licenses this file to You under the GNU General Public License, -# Version 3.0 (the "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.gnu.org/licenses/gpl.txt -# -# or in the COPYING file included in the original archive. -# -# Disclaimer of Warranty. -# -# THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -# APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -# HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -# OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -# PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -# IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -# ALL NECESSARY SERVICING, REPAIR OR CORRECTION. -# -# Limitation of Liability. -# -# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -# THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -# GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -# USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -# DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -# PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -# EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGES. -############################################################################### -## policy for nginx - -######################################## -## -## Execute a domain transition to run nginx. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nginx_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nginx_domtrans'($*)) dnl - - gen_require(` - type nginx_t, nginx_exec_t; - ') - allow nginx_t $1:fd use; - allow nginx_t $1:fifo_file rw_file_perms; - allow nginx_t $1:process sigchld; - - domain_auto_transition_pattern($1, nginx_exec_t, nginx_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nginx_domtrans'($*)) dnl - ') - - -######################################## -## -## Administer the nginx domain -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the nginx domain. -## -## -## -# - define(`nginx_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nginx_admin'($*)) dnl - - gen_require(` - type nginx_t, nginx_conf_t, nginx_log_t, nginx_var_lib_t, nginx_runtime_t; - type nginx_exec_t; - ') - - allow $1 nginx_t:process { ptrace signal_perms }; - ps_process_pattern($1, nginx_t) - - files_list_etc($1) - admin_pattern($1, nginx_conf_t) - - can_exec($1, nginx_exec_t) - - files_list_var_lib($1) - admin_pattern($1, nginx_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, nginx_log_t) - - files_list_pids($1) - admin_pattern($1, nginx_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nginx_admin'($*)) dnl - ') - -## Skype softphone. - -####################################### -## -## Role access for the skype module. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`skype_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `skype_role'($*)) dnl - - gen_require(` - type skype_t, skype_exec_t, skype_tmpfs_t, skype_home_t; - ') - - role $1 types skype_t; - - domtrans_pattern($2, skype_exec_t, skype_t) - - allow $2 skype_t:process { ptrace signal_perms }; - dontaudit skype_t $2:unix_stream_socket { connectto }; - - manage_dirs_pattern($2, skype_home_t, skype_home_t) - manage_files_pattern($2, skype_home_t, skype_home_t) - manage_lnk_files_pattern($2, skype_home_t, skype_home_t) - - relabel_dirs_pattern($2, skype_home_t, skype_home_t) - relabel_files_pattern($2, skype_home_t, skype_home_t) - relabel_lnk_files_pattern($2, skype_home_t, skype_home_t) - - ps_process_pattern($2, skype_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `skype_role'($*)) dnl - ') - -## OpenRC is an init system -## Build whatis database from man pages -## Virtual Distributed Ethernet switch service - -######################################## -## -# The rules needed to manage the VDE switches -## -## -## -## The role to be allowed to manage the vde domain. -## -## -## -## -## Domain allowed access. -## -## -## -# - define(`vde_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vde_role'($*)) dnl - - gen_require(` - type vde_t, vde_tmp_t; - type vde_runtime_t; - type vde_initrc_exec_t, vde_exec_t; - ') - - role $1 types vde_t; - - allow $2 vde_t:process { ptrace signal_perms }; - allow $2 vde_t:unix_stream_socket connectto; - allow vde_t $2:process { sigchld signull }; - allow vde_t $2:fd use; - allow vde_t $2:tun_socket { relabelfrom }; - allow vde_t self:tun_socket { relabelfrom relabelto }; - ps_process_pattern($2, vde_t) - - domain_auto_transition_pattern($2, vde_exec_t, vde_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vde_role'($*)) dnl - ') - - -######################################## -## -# Allow communication with the VDE service -## -## -## -## Domain allowed access. -## -## -## -# - define(`vde_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vde_connect'($*)) dnl - - gen_require(` - type vde_t, vde_runtime_t, vde_tmp_t; - ') - - allow $1 vde_runtime_t:sock_file write_sock_file_perms; - allow $1 vde_t:unix_stream_socket { connectto }; - allow $1 vde_t:unix_dgram_socket { sendto }; - allow vde_t $1:unix_dgram_socket { sendto }; - - allow $1 vde_tmp_t:sock_file manage_sock_file_perms; - files_tmp_filetrans($1, vde_tmp_t, sock_file) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vde_connect'($*)) dnl - ') - -## Bitcoin software-based online payment system - -######################################### -## -## Administer a bitcoin environment -## -## -## -## Domain allowed access -## -## -## -## -## Role allowed access -## -## -# - define(`bitcoin_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bitcoin_admin'($*)) dnl - - gen_require(` - type bitcoin_t; - type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t; - type bitcoin_var_lib_t, bitcoin_runtime_t; - type bitcoin_initrc_exec_t; - ') - - allow $1 bitcoin_t:process { ptrace signal_perms }; - ps_process_pattern($1, bitcoin_t) - - init_startstop_service($1, $2, bitcoin_t, bitcoin_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, bitcoin_tmp_t) - - logging_list_logs($1) - admin_pattern($1, bitcoin_log_t) - - files_list_etc($1) - admin_pattern($1, bitcoin_etc_t) - - files_list_var_lib($1) - admin_pattern($1, bitcoin_var_lib_t) - - files_list_pids($1) - admin_pattern($1, bitcoin_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bitcoin_admin'($*)) dnl - ') - -# -# This is a generated file! Instead of modifying this file, the -# corenetwork.if.in or corenetwork.if.m4 file should be modified. -# -## Policy controlling access to network objects -## -## Contains the initial SIDs for network objects. -## - -######################################## -## -## Define type to be a network port type -## -## -##

-## Define type to be a network port type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for network ports. -## -## -# - define(`corenet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_port'($*)) dnl - - gen_require(` - attribute port_type; - ') - - typeattribute $1 port_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_port'($*)) dnl - ') - - -######################################## -## -## Define network type to be a reserved port (lt 1024) -## -## -##

-## Define network type to be a reserved port (lt 1024) -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for network ports. -## -## -# - define(`corenet_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_reserved_port'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - typeattribute $1 reserved_port_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_reserved_port'($*)) dnl - ') - - -######################################## -## -## Define network type to be a rpc port ( 512 lt PORT lt 1024) -## -## -##

-## Define network type to be a rpc port ( 512 lt PORT lt 1024) -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for network ports. -## -## -# - define(`corenet_rpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_rpc_port'($*)) dnl - - gen_require(` - attribute rpc_port_type; - ') - - typeattribute $1 rpc_port_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_rpc_port'($*)) dnl - ') - - -######################################## -## -## Define type to be a network node type -## -## -##

-## Define type to be a network node type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for network nodes. -## -## -# - define(`corenet_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_node'($*)) dnl - - gen_require(` - attribute node_type; - ') - - typeattribute $1 node_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_node'($*)) dnl - ') - - -######################################## -## -## Define type to be a network packet type -## -## -##

-## Define type to be a network packet type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for a network packet. -## -## -# - define(`corenet_packet',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_packet'($*)) dnl - - gen_require(` - attribute packet_type; - ') - - typeattribute $1 packet_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_packet'($*)) dnl - ') - - -######################################## -## -## Define type to be a network client packet type -## -## -##

-## Define type to be a network client packet type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for a network client packet. -## -## -# - define(`corenet_client_packet',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_client_packet'($*)) dnl - - gen_require(` - attribute packet_type, client_packet_type; - ') - - typeattribute $1 client_packet_type, packet_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_client_packet'($*)) dnl - ') - - -######################################## -## -## Define type to be a network server packet type -## -## -##

-## Define type to be a network server packet type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for a network server packet. -## -## -# - define(`corenet_server_packet',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_server_packet'($*)) dnl - - gen_require(` - attribute packet_type, server_packet_type; - ') - - typeattribute $1 server_packet_type, packet_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_server_packet'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable -## for labeled ipsec. -## -## -## -## Type to be used for labeled ipsec. -## -## -# - define(`corenet_spd_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_spd_type'($*)) dnl - - gen_require(` - attribute ipsec_spd_type; - ') - - typeattribute $1 ipsec_spd_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_spd_type'($*)) dnl - ') - - -######################################## -## -## Define type to be an infiniband pkey type -## -## -##

-## Define type to be an infiniband pkey type -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for infiniband pkeys. -## -## -# - define(`corenet_ib_pkey',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_ib_pkey'($*)) dnl - - gen_require(` - attribute ibpkey_type; - ') - - typeattribute $1 ibpkey_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_ib_pkey'($*)) dnl - ') - - -######################################## -## -## Define type to be an infiniband endport -## -## -##

-## Define type to be an infiniband endport -##

-##

-## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -##

-## -## -## -## Type to be used for infiniband endports. -## -## -# - define(`corenet_ib_endport',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_ib_endport'($*)) dnl - - gen_require(` - attribute ibendport_type; - ') - - typeattribute $1 ibendport_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_ib_endport'($*)) dnl - ') - - -######################################## -## -## Send and receive TCP network traffic on generic interfaces. -## -## -##

-## Allow the specified domain to send and receive TCP network -## traffic on generic network interfaces. -##

-##

-## Related interface: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
    • -##
  • corenet_tcp_sendrecv_generic_node()
    • -##
  • corenet_tcp_sendrecv_all_ports()
    • -##
  • corenet_tcp_connect_all_ports()
    • -##
-##

-## Example client being able to connect to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:tcp_socket create_stream_socket_perms; -## corenet_tcp_sendrecv_generic_if(myclient_t) -## corenet_tcp_sendrecv_generic_node(myclient_t) -## corenet_tcp_sendrecv_all_ports(myclient_t) -## corenet_tcp_connect_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { egress ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_if'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_send_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { egress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_if'($*)) dnl - ') - - -######################################## -## -## Dontaudit attempts to send UDP network traffic -## on generic interfaces. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_send_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - dontaudit $1 netif_t:netif { egress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_generic_if'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_receive_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_if'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP network -## traffic on generic interfaces. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_receive_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - dontaudit $1 netif_t:netif { ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_generic_if'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on generic interfaces. -## -## -##

-## Allow the specified domain to send and receive UDP network -## traffic on generic network interfaces. -##

-##

-## Related interface: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
    • -##
  • corenet_udp_sendrecv_generic_node()
    • -##
  • corenet_udp_sendrecv_all_ports()
    • -##
-##

-## Example client being able to send to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:udp_socket create_socket_perms; -## corenet_udp_sendrecv_generic_if(myclient_t) -## corenet_udp_sendrecv_generic_node(myclient_t) -## corenet_udp_sendrecv_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_if'($*)) dnl - - corenet_udp_send_generic_if($1) - corenet_udp_receive_generic_if($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_if'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive UDP network -## traffic on generic interfaces. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_sendrecv_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_generic_if'($*)) dnl - - corenet_dontaudit_udp_send_generic_if($1) - corenet_dontaudit_udp_receive_generic_if($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_generic_if'($*)) dnl - ') - - -######################################## -## -## Send raw IP packets on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_send_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_send_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { egress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_send_generic_if'($*)) dnl - ') - - -######################################## -## -## Receive raw IP packets on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_receive_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif { ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_receive_generic_if'($*)) dnl - ') - - -######################################## -## -## Send and receive raw IP packets on generic interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_sendrecv_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_generic_if'($*)) dnl - - corenet_raw_send_generic_if($1) - corenet_raw_receive_generic_if($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_generic_if'($*)) dnl - ') - - -######################################## -## -## Allow outgoing network traffic on the generic interfaces. -## -## -## -## The peer label of the outgoing network traffic. -## -## -## -# - define(`corenet_out_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_out_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif egress; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_out_generic_if'($*)) dnl - ') - - -######################################## -## -## Allow incoming traffic on the generic interfaces. -## -## -## -## The peer label of the incoming network traffic. -## -## -## -# - define(`corenet_in_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_in_generic_if'($*)) dnl - - gen_require(` - type netif_t; - ') - - allow $1 netif_t:netif ingress; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_in_generic_if'($*)) dnl - ') - - -######################################## -## -## Allow incoming and outgoing network traffic on the generic interfaces. -## -## -## -## The peer label of the network traffic. -## -## -## -# - define(`corenet_inout_generic_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_inout_generic_if'($*)) dnl - - corenet_in_generic_if($1) - corenet_out_generic_if($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_inout_generic_if'($*)) dnl - ') - - -######################################## -## -## Send and receive TCP network traffic on all interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_sendrecv_all_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_if'($*)) dnl - - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { egress ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_if'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on all interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_send_all_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_if'($*)) dnl - - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { egress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_if'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on all interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_receive_all_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_if'($*)) dnl - - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_if'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on all interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_sendrecv_all_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_if'($*)) dnl - - corenet_udp_send_all_if($1) - corenet_udp_receive_all_if($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_if'($*)) dnl - ') - - -######################################## -## -## Send raw IP packets on all interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_send_all_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_send_all_if'($*)) dnl - - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { egress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_send_all_if'($*)) dnl - ') - - -######################################## -## -## Send and receive SCTP network traffic on generic nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_sendrecv_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_sendrecv_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:node { sendto recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_sendrecv_generic_node'($*)) dnl - ') - - -######################################## -## -## Receive raw IP packets on all interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_receive_all_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_all_if'($*)) dnl - - gen_require(` - attribute netif_type; - ') - - allow $1 netif_type:netif { ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_receive_all_if'($*)) dnl - ') - - -######################################## -## -## Send and receive raw IP packets on all interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_sendrecv_all_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_all_if'($*)) dnl - - corenet_raw_send_all_if($1) - corenet_raw_receive_all_if($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_all_if'($*)) dnl - ') - - -######################################## -## -## Send and receive TCP network traffic on generic nodes. -## -## -##

-## Allow the specified domain to send and receive TCP network -## traffic to/from generic network nodes (hostnames/networks). -##

-##

-## Related interface: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
    • -##
  • corenet_tcp_sendrecv_generic_if()
    • -##
  • corenet_tcp_sendrecv_all_ports()
    • -##
  • corenet_tcp_connect_all_ports()
    • -##
-##

-## Example client being able to connect to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:tcp_socket create_stream_socket_perms; -## corenet_tcp_sendrecv_generic_if(myclient_t) -## corenet_tcp_sendrecv_generic_node(myclient_t) -## corenet_tcp_sendrecv_all_ports(myclient_t) -## corenet_tcp_connect_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:node { sendto recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_node'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on generic nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_send_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:node { sendto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_node'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on generic nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_receive_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:node { recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_node'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on generic nodes. -## -## -##

-## Allow the specified domain to send and receive UDP network -## traffic to/from generic network nodes (hostnames/networks). -##

-##

-## Related interface: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
    • -##
  • corenet_udp_sendrecv_generic_if()
    • -##
  • corenet_udp_sendrecv_all_ports()
    • -##
-##

-## Example client being able to send to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:udp_socket create_socket_perms; -## corenet_udp_sendrecv_generic_if(myclient_t) -## corenet_udp_sendrecv_generic_node(myclient_t) -## corenet_udp_sendrecv_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_node'($*)) dnl - - corenet_udp_send_generic_node($1) - corenet_udp_receive_generic_node($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_node'($*)) dnl - ') - - -######################################## -## -## Send raw IP packets on generic nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_send_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_send_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:node { sendto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_send_generic_node'($*)) dnl - ') - - -######################################## -## -## Receive raw IP packets on generic nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_receive_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:node { recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_receive_generic_node'($*)) dnl - ') - - -######################################## -## -## Send and receive raw IP packets on generic nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_sendrecv_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_generic_node'($*)) dnl - - corenet_raw_send_generic_node($1) - corenet_raw_receive_generic_node($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_generic_node'($*)) dnl - ') - - -######################################## -## -## Bind SCTP sockets to generic nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_bind_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:sctp_socket node_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_generic_node'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to generic nodes. -## -## -##

-## Bind TCP sockets to generic nodes. This is -## necessary for binding a socket so it -## can be used for servers to listen -## for incoming connections. -##

-##

-## Related interface: -##

-##
    -##
  • corenet_udp_bind_generic_node()
    • -##
-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:tcp_socket node_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_generic_node'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to generic nodes. -## -## -##

-## Bind UDP sockets to generic nodes. This is -## necessary for binding a socket so it -## can be used for servers to listen -## for incoming connections. -##

-##

-## Related interface: -##

-##
    -##
  • corenet_tcp_bind_generic_node()
    • -##
-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:udp_socket node_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_generic_node'($*)) dnl - ') - - -######################################## -## -## Bind raw sockets to generic nodes. -## -## -## -## Domain allowed access. -## -## -# rawip_socket node_bind does not make much sense. -# cjp: vmware hits this too - define(`corenet_raw_bind_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_bind_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:rawip_socket node_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_bind_generic_node'($*)) dnl - ') - - -######################################## -## -## Allow outgoing network traffic to generic nodes. -## -## -## -## The peer label of the outgoing network traffic. -## -## -## -# - define(`corenet_out_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_out_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:node sendto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_out_generic_node'($*)) dnl - ') - - -######################################## -## -## Allow incoming network traffic from generic nodes. -## -## -## -## The peer label of the incoming network traffic. -## -## -## -# - define(`corenet_in_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_in_generic_node'($*)) dnl - - gen_require(` - type node_t; - ') - - allow $1 node_t:node recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_in_generic_node'($*)) dnl - ') - - -######################################## -## -## Allow incoming and outgoing network traffic with generic nodes. -## -## -## -## The peer label of the network traffic. -## -## -## -# - define(`corenet_inout_generic_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_inout_generic_node'($*)) dnl - - corenet_in_generic_node($1) - corenet_out_generic_node($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_inout_generic_node'($*)) dnl - ') - - -######################################## -## -## Send and receive TCP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_sendrecv_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { sendto recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_nodes'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_send_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { sendto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_nodes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP network -## traffic on any nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_send_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - dontaudit $1 node_type:node { sendto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_all_nodes'($*)) dnl - ') - - -######################################## -## -## Send and receive SCTP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_sendrecv_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_sendrecv_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { sendto recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_sendrecv_all_nodes'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_receive_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_nodes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP -## network traffic on all nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_receive_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - dontaudit $1 node_type:node { recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_all_nodes'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_sendrecv_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_nodes'($*)) dnl - - corenet_udp_send_all_nodes($1) - corenet_udp_receive_all_nodes($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_nodes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive UDP -## network traffic on any nodes nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_sendrecv_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_all_nodes'($*)) dnl - - corenet_dontaudit_udp_send_all_nodes($1) - corenet_dontaudit_udp_receive_all_nodes($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_all_nodes'($*)) dnl - ') - - -######################################## -## -## Send raw IP packets on all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_send_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_send_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { sendto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_send_all_nodes'($*)) dnl - ') - - -######################################## -## -## Receive raw IP packets on all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_receive_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_receive_all_nodes'($*)) dnl - ') - - -######################################## -## -## Send and receive raw IP packets on all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_sendrecv_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_all_nodes'($*)) dnl - - corenet_raw_send_all_nodes($1) - corenet_raw_receive_all_nodes($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_all_nodes'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_bind_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:tcp_socket node_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_nodes'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_bind_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:udp_socket node_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_nodes'($*)) dnl - ') - - -######################################## -## -## Bind raw sockets to all nodes. -## -## -## -## Domain allowed access. -## -## -# rawip_socket node_bind does not make much sense. -# cjp: vmware hits this too - define(`corenet_raw_bind_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_bind_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:rawip_socket node_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_bind_all_nodes'($*)) dnl - ') - - -######################################## -## -## Send and receive TCP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_sendrecv_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_port'($*)) dnl - ') - - -######################################## -## -## Bind SCTP sockets to all nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_bind_all_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_nodes'($*)) dnl - - gen_require(` - attribute node_type; - ') - - allow $1 node_type:sctp_socket node_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_nodes'($*)) dnl - ') - - - -######################################## -## -## Do not audit send and receive TCP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_dontaudit_tcp_sendrecv_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_sendrecv_generic_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_sendrecv_generic_port'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_send_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_receive_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_sendrecv_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_bind_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_generic_port'($*)) dnl - - gen_require(` - type port_t; - attribute defined_port_type; - ') - - allow $1 port_t:tcp_socket name_bind; - dontaudit $1 defined_port_type:tcp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_generic_port'($*)) dnl - ') - - -######################################## -## -## Do not audit bind TCP sockets to generic ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_bind_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_generic_port'($*)) dnl - - gen_require(` - type port_t; - ') - - dontaudit $1 port_t:tcp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_generic_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_bind_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_generic_port'($*)) dnl - - gen_require(` - type port_t; - attribute defined_port_type; - ') - - allow $1 port_t:udp_socket name_bind; - dontaudit $1 defined_port_type:udp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_generic_port'($*)) dnl - ') - - -######################################## -## -## Connect TCP sockets to generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_generic_port'($*)) dnl - - gen_require(` - type port_t; - ') - - allow $1 port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_generic_port'($*)) dnl - ') - - -######################################## -## -## Send and receive TCP network traffic on all ports. -## -## -##

-## Send and receive TCP network traffic on all ports. -## Related interfaces: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
    • -##
  • corenet_tcp_sendrecv_generic_if()
    • -##
  • corenet_tcp_sendrecv_generic_node()
    • -##
  • corenet_tcp_connect_all_ports()
    • -##
  • corenet_tcp_bind_all_ports()
    • -##
-##

-## Example client being able to connect to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:tcp_socket create_stream_socket_perms; -## corenet_tcp_sendrecv_generic_if(myclient_t) -## corenet_tcp_sendrecv_generic_node(myclient_t) -## corenet_tcp_sendrecv_all_ports(myclient_t) -## corenet_tcp_connect_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_ports'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_ports'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on all ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_send_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_ports'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_ports'($*)) dnl - ') - - -######################################## -## -## Bind SCTP sockets to generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_bind_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_generic_port'($*)) dnl - - gen_require(` - type port_t, unreserved_port_t, ephemeral_port_t; - attribute defined_port_type; - ') - - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; - dontaudit $1 defined_port_type:sctp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_generic_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on all ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_receive_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_ports'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_ports'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on all ports. -## -## -##

-## Send and receive UDP network traffic on all ports. -## Related interfaces: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
    • -##
  • corenet_udp_sendrecv_generic_if()
    • -##
  • corenet_udp_sendrecv_generic_node()
    • -##
  • corenet_udp_bind_all_ports()
    • -##
-##

-## Example client being able to send to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:udp_socket create_socket_perms; -## corenet_udp_sendrecv_generic_if(myclient_t) -## corenet_udp_sendrecv_generic_node(myclient_t) -## corenet_udp_sendrecv_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_ports'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to bind SCTP -## sockets to generic ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_sctp_bind_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_generic_port'($*)) dnl - - gen_require(` - type port_t, unreserved_port_t, ephemeral_port_t; - ') - - dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_generic_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to all ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_bind_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - allow $1 port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attepts to bind TCP sockets to any ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_bind_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:tcp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_ports'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to all ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_bind_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - allow $1 port_type:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_ports'($*)) dnl - ') - - -######################################## -## -## Connect SCTP sockets to generic ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_connect_generic_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_generic_port'($*)) dnl - - gen_require(` - type port_t, unreserved_port_t,ephemeral_port_t; - ') - - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_generic_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attepts to bind UDP sockets to any ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_bind_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:udp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_ports'($*)) dnl - ') - - -######################################## -## -## Connect TCP sockets to all ports. -## -## -##

-## Connect TCP sockets to all ports -##

-##

-## Related interfaces: -##

-##
    -##
  • corenet_all_recvfrom_unlabeled()
    • -##
  • corenet_tcp_sendrecv_generic_if()
    • -##
  • corenet_tcp_sendrecv_generic_node()
    • -##
  • corenet_tcp_sendrecv_all_ports()
    • -##
  • corenet_tcp_bind_all_ports()
    • -##
-##

-## Example client being able to connect to all ports over -## generic nodes, without labeled networking: -##

-##

-## allow myclient_t self:tcp_socket create_stream_socket_perms; -## corenet_tcp_sendrecv_generic_if(myclient_t) -## corenet_tcp_sendrecv_generic_node(myclient_t) -## corenet_tcp_sendrecv_all_ports(myclient_t) -## corenet_tcp_connect_all_ports(myclient_t) -## corenet_all_recvfrom_unlabeled(myclient_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_connect_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - allow $1 port_type:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to connect TCP sockets -## to all ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_connect_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_ports'($*)) dnl - ') - - -######################################## -## -## Send and receive TCP network traffic on generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_sendrecv_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_reserved_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_reserved_port'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_send_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_reserved_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_reserved_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_receive_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_reserved_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_reserved_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_sendrecv_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_reserved_port'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_reserved_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_bind_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_reserved_port'($*)) dnl - - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_reserved_port'($*)) dnl - ') - - -######################################## -## -## Bind SCTP sockets to all ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_bind_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - allow $1 port_type:sctp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_ports'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_bind_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_reserved_port'($*)) dnl - - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_reserved_port'($*)) dnl - ') - - -######################################## -## -## Connect TCP sockets to generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_reserved_port'($*)) dnl - - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_reserved_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to bind SCTP sockets to any ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_sctp_bind_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:sctp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_all_ports'($*)) dnl - ') - - -######################################## -## -## Send and receive TCP network traffic on all reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_sendrecv_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_reserved_ports'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on all reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_send_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_reserved_ports'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on all reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_receive_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_reserved_ports'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on all reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_sendrecv_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_reserved_ports'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Connect SCTP sockets to all ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_connect_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - allow $1 port_type:sctp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_ports'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to all reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_bind_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to bind TCP sockets to all reserved ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_bind_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:tcp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to all reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_bind_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to bind UDP sockets to all reserved ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_bind_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:udp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to connect SCTP sockets -## to all ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_sctp_connect_all_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_connect_all_ports'($*)) dnl - - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:sctp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_connect_all_ports'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to all ports > 1024. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_bind_all_unreserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_unreserved_ports'($*)) dnl - - gen_require(` - attribute unreserved_port_type; - ') - - allow $1 unreserved_port_type:tcp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_unreserved_ports'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to all ports > 1024. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_bind_all_unreserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_unreserved_ports'($*)) dnl - - gen_require(` - attribute unreserved_port_type; - ') - - allow $1 unreserved_port_type:udp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_unreserved_ports'($*)) dnl - ') - - -######################################## -## -## Connect TCP sockets to reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Connect SCTP sockets to all ports > 1024. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_connect_all_unreserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_unreserved_ports'($*)) dnl - - gen_require(` - attribute unreserved_port_type; - ') - - allow $1 unreserved_port_type:sctp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_unreserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit connect attempts to TCP sockets on -## ports greater than 1024. -## -## -## -## Domain not to audit access to. -## -## -# - define(`corenet_dontaudit_tcp_connect_all_unreserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_unreserved_ports'($*)) dnl - - gen_require(` - attribute unreserved_port_type; - ') - - dontaudit $1 unreserved_port_type:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_unreserved_ports'($*)) dnl - ') - - -######################################## -## -## Connect TCP sockets to all ports > 1024. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_all_unreserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_unreserved_ports'($*)) dnl - - gen_require(` - attribute unreserved_port_type; - ') - - allow $1 unreserved_port_type:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_unreserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to connect TCP sockets -## all reserved ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_connect_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Connect TCP sockets to rpc ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_all_rpc_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_rpc_ports'($*)) dnl - - gen_require(` - attribute rpc_port_type; - ') - - allow $1 rpc_port_type:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_rpc_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to connect TCP sockets -## all rpc ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_connect_all_rpc_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_rpc_ports'($*)) dnl - - gen_require(` - attribute rpc_port_type; - ') - - dontaudit $1 rpc_port_type:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_rpc_ports'($*)) dnl - ') - - -######################################## -## -## Bind SCTP sockets to generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_bind_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_reserved_port'($*)) dnl - - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:sctp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_reserved_port'($*)) dnl - ') - - -######################################## -## -## Read the TUN/TAP virtual network device. -## -## -## -## The domain read allowed access. -## -## -# - define(`corenet_read_tun_tap_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_read_tun_tap_dev'($*)) dnl - - gen_require(` - type tun_tap_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tun_tap_device_t:chr_file read_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_read_tun_tap_dev'($*)) dnl - ') - - -######################################## -## -## Write the TUN/TAP virtual network device. -## -## -## -## The domain allowed write access. -## -## -# - define(`corenet_write_tun_tap_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_write_tun_tap_dev'($*)) dnl - - gen_require(` - type tun_tap_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tun_tap_device_t:chr_file write_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_write_tun_tap_dev'($*)) dnl - ') - - -######################################## -## -## Read and write the TUN/TAP virtual network device. -## -## -## -## The domain allowed access. -## -## -# - define(`corenet_rw_tun_tap_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_rw_tun_tap_dev'($*)) dnl - - gen_require(` - type tun_tap_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_rw_tun_tap_dev'($*)) dnl - ') - - -######################################## -## -## Connect SCTP sockets to generic reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_connect_reserved_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_reserved_port'($*)) dnl - - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:sctp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_reserved_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write the TUN/TAP -## virtual network device. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_rw_tun_tap_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_rw_tun_tap_dev'($*)) dnl - - gen_require(` - type tun_tap_device_t; - ') - - dontaudit $1 tun_tap_device_t:chr_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_rw_tun_tap_dev'($*)) dnl - ') - - -######################################## -## -## Getattr the point-to-point device. -## -## -## -## The domain allowed access. -## -## -# - define(`corenet_getattr_ppp_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_getattr_ppp_dev'($*)) dnl - - gen_require(` - type ppp_device_t; - ') - - allow $1 ppp_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_getattr_ppp_dev'($*)) dnl - ') - - -######################################## -## -## Read and write the point-to-point device. -## -## -## -## The domain allowed access. -## -## -# - define(`corenet_rw_ppp_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_rw_ppp_dev'($*)) dnl - - gen_require(` - type ppp_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 ppp_device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_rw_ppp_dev'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to all RPC ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_bind_all_rpc_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_rpc_ports'($*)) dnl - - gen_require(` - attribute rpc_port_type; - ') - - allow $1 rpc_port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_rpc_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to bind TCP sockets to all RPC ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_bind_all_rpc_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_rpc_ports'($*)) dnl - - gen_require(` - attribute rpc_port_type; - ') - - dontaudit $1 rpc_port_type:tcp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_rpc_ports'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to all RPC ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_bind_all_rpc_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_rpc_ports'($*)) dnl - - gen_require(` - attribute rpc_port_type; - ') - - allow $1 rpc_port_type:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_rpc_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to bind UDP sockets to all RPC ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_bind_all_rpc_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_rpc_ports'($*)) dnl - - gen_require(` - attribute rpc_port_type; - ') - - dontaudit $1 rpc_port_type:udp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_rpc_ports'($*)) dnl - ') - - -######################################## -## -## Bind SCTP sockets to all reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_bind_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:sctp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Receive TCP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:tcp_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Receive TCP packets from an unlabled connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_recvfrom_unlabeled'($*)) dnl - - kernel_tcp_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to bind SCTP sockets to all reserved ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_sctp_bind_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:sctp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive TCP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:tcp_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive TCP packets from an unlabeled -## connection. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_tcp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl - - kernel_dontaudit_tcp_recvfrom_unlabeled($1) - kernel_dontaudit_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_dontaudit_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Receive UDP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:udp_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Receive UDP packets from an unlabeled connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_udp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_unlabeled'($*)) dnl - - kernel_udp_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Bind SCTP sockets to all ports > 1024. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_bind_all_unreserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_unreserved_ports'($*)) dnl - - gen_require(` - attribute unreserved_port_type; - ') - - allow $1 unreserved_port_type:sctp_socket name_bind; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_unreserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:udp_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP packets from an unlabeled -## connection. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_udp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recvfrom_unlabeled'($*)) dnl - - kernel_dontaudit_udp_recvfrom_unlabeled($1) - kernel_dontaudit_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_dontaudit_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Receive Raw IP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:rawip_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Receive Raw IP packets from an unlabeled connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_raw_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_unlabeled'($*)) dnl - - kernel_raw_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive Raw IP packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_raw_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Connect SCTP sockets to reserved ports. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_connect_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:sctp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive Raw IP packets from an unlabeled -## connection. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_raw_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recvfrom_unlabeled'($*)) dnl - - kernel_dontaudit_raw_recvfrom_unlabeled($1) - kernel_dontaudit_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_dontaudit_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Receive packets from an unlabeled connection. -## -## -##

-## Allow the specified domain to receive packets from an -## unlabeled connection. On machines that do not utilize -## labeled networking, this will be required on all -## networking domains. On machines tha do utilize -## labeled networking, this will be required for any -## networking domain that is allowed to receive -## network traffic that does not have a label. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_all_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_unlabeled'($*)) dnl - - kernel_tcp_recvfrom_unlabeled($1) - kernel_udp_recvfrom_unlabeled($1) - kernel_raw_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Receive packets from a NetLabel connection. -## -## -##

-## Allow the specified domain to receive NetLabel -## network traffic, which utilizes the Commercial IP -## Security Option (CIPSO) to set the MLS level -## of the network packets. This is required for -## all networking domains that receive NetLabel -## network traffic. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_all_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive packets from an unlabeled connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_dontaudit_all_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_all_recvfrom_unlabeled'($*)) dnl - - kernel_dontaudit_tcp_recvfrom_unlabeled($1) - kernel_dontaudit_udp_recvfrom_unlabeled($1) - kernel_dontaudit_raw_recvfrom_unlabeled($1) - kernel_dontaudit_recvfrom_unlabeled_peer($1) - - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_dontaudit_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_all_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to connect SCTP sockets -## all reserved ports. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_sctp_connect_all_reserved_ports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_connect_all_reserved_ports'($*)) dnl - - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:sctp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_connect_all_reserved_ports'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive packets from a NetLabel -## connection. -## -## -## -## Domain to not audit. -## -## -# - define(`corenet_dontaudit_all_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_all_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_all_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Rules for receiving labeled TCP packets. -## -## -##

-## Rules for receiving labeled TCP packets. -##

-##

-## Due to the nature of TCP, this is bidirectional. -##

-## -## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# - define(`corenet_tcp_recvfrom_labeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_recvfrom_labeled'($*)) dnl - - allow { $1 $2 } self:association sendto; - allow $1 $2:{ association tcp_socket } recvfrom; - allow $2 $1:{ association tcp_socket } recvfrom; - - allow $1 $2:peer recv; - allow $2 $1:peer recv; - - # allow receiving packets from MLS-only peers using NetLabel - corenet_tcp_recvfrom_netlabel($1) - corenet_tcp_recvfrom_netlabel($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_recvfrom_labeled'($*)) dnl - ') - - -######################################## -## -## Rules for receiving labeled UDP packets. -## -## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# - define(`corenet_udp_recvfrom_labeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_labeled'($*)) dnl - - allow $2 self:association sendto; - allow $1 $2:{ association udp_socket } recvfrom; - - allow $1 $2:peer recv; - - # allow receiving packets from MLS-only peers using NetLabel - corenet_udp_recvfrom_netlabel($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_labeled'($*)) dnl - ') - - -######################################## -## -## Rules for receiving labeled raw IP packets. -## -## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# - define(`corenet_raw_recvfrom_labeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_labeled'($*)) dnl - - allow $2 self:association sendto; - allow $1 $2:{ association rawip_socket } recvfrom; - - allow $1 $2:peer recv; - - # allow receiving packets from MLS-only peers using NetLabel - corenet_raw_recvfrom_netlabel($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_labeled'($*)) dnl - ') - - -######################################## -## -## Rules for receiving labeled packets via TCP, UDP and raw IP. -## -## -##

-## Rules for receiving labeled packets via TCP, UDP and raw IP. -##

-##

-## Due to the nature of TCP, the rules (for TCP -## networking only) are bidirectional. -##

-## -## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# - define(`corenet_all_recvfrom_labeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_labeled'($*)) dnl - - corenet_sctp_recvfrom_labeled($1, $2) - corenet_tcp_recvfrom_labeled($1, $2) - corenet_udp_recvfrom_labeled($1, $2) - corenet_raw_recvfrom_labeled($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_labeled'($*)) dnl - ') - - -######################################## -## -## Allow specified type to set the context of -## a SPD entry for labeled ipsec associations. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_setcontext_all_spds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_setcontext_all_spds'($*)) dnl - - gen_require(` - attribute ipsec_spd_type; - ') - - allow $1 ipsec_spd_type:association setcontext; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_setcontext_all_spds'($*)) dnl - ') - - -######################################## -## -## Send generic client packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_send_generic_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_generic_client_packets'($*)) dnl - - gen_require(` - type client_packet_t; - ') - - allow $1 client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_generic_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive generic client packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_receive_generic_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_generic_client_packets'($*)) dnl - - gen_require(` - type client_packet_t; - ') - - allow $1 client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_generic_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive generic client packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sendrecv_generic_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_generic_client_packets'($*)) dnl - - corenet_send_generic_client_packets($1) - corenet_receive_generic_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_generic_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to the generic client packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_generic_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_generic_client_packets'($*)) dnl - - gen_require(` - type client_packet_t; - ') - - allow $1 client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_generic_client_packets'($*)) dnl - ') - - -######################################## -## -## Send generic server packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_send_generic_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_generic_server_packets'($*)) dnl - - gen_require(` - type server_packet_t; - ') - - allow $1 server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_generic_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive generic server packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_receive_generic_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_generic_server_packets'($*)) dnl - - gen_require(` - type server_packet_t; - ') - - allow $1 server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_generic_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive generic server packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sendrecv_generic_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_generic_server_packets'($*)) dnl - - corenet_send_generic_server_packets($1) - corenet_receive_generic_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_generic_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to the generic server packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_generic_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_generic_server_packets'($*)) dnl - - gen_require(` - type server_packet_t; - ') - - allow $1 server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_generic_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive unlabeled packets. -## -## -##

-## Send and receive unlabeled packets. -## These packets do not match any netfilter -## SECMARK rules. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sendrecv_unlabeled_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_unlabeled_packets'($*)) dnl - - kernel_sendrecv_unlabeled_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_unlabeled_packets'($*)) dnl - ') - - -######################################## -## -## Send all client packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_send_all_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_all_client_packets'($*)) dnl - - gen_require(` - attribute client_packet_type; - ') - - allow $1 client_packet_type:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_all_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive all client packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_receive_all_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_all_client_packets'($*)) dnl - - gen_require(` - attribute client_packet_type; - ') - - allow $1 client_packet_type:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_all_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive all client packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sendrecv_all_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_client_packets'($*)) dnl - - corenet_send_all_client_packets($1) - corenet_receive_all_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to any client packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_all_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_client_packets'($*)) dnl - - gen_require(` - attribute client_packet_type; - ') - - allow $1 client_packet_type:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_client_packets'($*)) dnl - ') - - -######################################## -## -## Send all server packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_send_all_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_all_server_packets'($*)) dnl - - gen_require(` - attribute server_packet_type; - ') - - allow $1 server_packet_type:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_all_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive SCTP packets from a NetLabel connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_recvfrom_netlabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_netlabel'($*)) dnl - - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_netlabel'($*)) dnl - ') - - -######################################## -## -## Receive all server packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_receive_all_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_all_server_packets'($*)) dnl - - gen_require(` - attribute server_packet_type; - ') - - allow $1 server_packet_type:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_all_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive all server packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sendrecv_all_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_server_packets'($*)) dnl - - corenet_send_all_server_packets($1) - corenet_receive_all_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to any server packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_all_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_server_packets'($*)) dnl - - gen_require(` - attribute server_packet_type; - ') - - allow $1 server_packet_type:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive SCTP packets from an unlabled connection. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sctp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_unlabeled'($*)) dnl - - gen_require(` - attribute corenet_unlabeled_type; - ') - - kernel_recvfrom_unlabeled_peer($1) - - typeattribute $1 corenet_unlabeled_type; - kernel_sendrecv_unlabeled_association($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Send all packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_send_all_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_all_packets'($*)) dnl - - gen_require(` - attribute packet_type; - ') - - allow $1 packet_type:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_all_packets'($*)) dnl - ') - - -######################################## -## -## Receive all packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_receive_all_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_all_packets'($*)) dnl - - gen_require(` - attribute packet_type; - ') - - allow $1 packet_type:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_all_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive all packets. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_sendrecv_all_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_packets'($*)) dnl - - corenet_send_all_packets($1) - corenet_receive_all_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to any packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_all_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_packets'($*)) dnl - - gen_require(` - attribute packet_type; - ') - - allow $1 packet_type:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_packets'($*)) dnl - ') - - -######################################## -## -## Access unlabeled infiniband pkeys. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_ib_access_unlabeled_pkeys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_ib_access_unlabeled_pkeys'($*)) dnl - - kernel_ib_access_unlabeled_pkeys($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_ib_access_unlabeled_pkeys'($*)) dnl - ') - - -######################################## -## -## Access all labeled infiniband pkeys. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_ib_access_all_pkeys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_ib_access_all_pkeys'($*)) dnl - - gen_require(` - attribute ibpkey_type; - ') - - allow $1 ibpkey_type:infiniband_pkey access; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_ib_access_all_pkeys'($*)) dnl - ') - - -######################################## -## -## Manage subnets on all labeled Infiniband endports -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_ib_manage_subnet_all_endports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_ib_manage_subnet_all_endports'($*)) dnl - - gen_require(` - attribute ibendport_type; - ') - - allow $1 ibendport_type:infiniband_endport manage_subnet; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_ib_manage_subnet_all_endports'($*)) dnl - ') - - -######################################## -## -## Manage subnet on all unlabeled Infiniband endports -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_ib_manage_subnet_unlabeled_endports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_ib_manage_subnet_unlabeled_endports'($*)) dnl - - kernel_ib_manage_subnet_unlabeled_endports($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_ib_manage_subnet_unlabeled_endports'($*)) dnl - ') - - -######################################## -## -## Rules for receiving labeled SCTP packets. -## -## -## -## Domain allowed access. -## -## -## -## -## Peer domain. -## -## -# - define(`corenet_sctp_recvfrom_labeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_labeled'($*)) dnl - - allow { $1 $2 } self:association sendto; - allow $1 $2:association recvfrom; - allow $2 $1:association recvfrom; - - allow $1 $2:peer recv; - allow $2 $1:peer recv; - - # allow receiving packets from MLS-only peers using NetLabel - corenet_sctp_recvfrom_netlabel($1) - corenet_sctp_recvfrom_netlabel($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_labeled'($*)) dnl - ') - - -######################################## -## -## Unconfined access to network objects. -## -## -## -## The domain allowed access. -## -## -# - define(`corenet_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_unconfined'($*)) dnl - - gen_require(` - attribute corenet_unconfined_type; - ') - - typeattribute $1 corenet_unconfined_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_unconfined'($*)) dnl - ') - - - -######################################## -## -## Send and receive TCP traffic on the adb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_adb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_adb_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the adb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_adb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_adb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the adb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_adb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_adb_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the adb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_adb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_adb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the adb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_adb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_adb_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the adb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_adb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_adb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the adb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_adb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_adb_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the adb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_adb_port'($*)) dnl - - gen_require(` - type adb_port_t; - ') - - allow $1 adb_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_adb_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the adb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_adb_port'($*)) dnl - - gen_require(` - type adb_port_t; - ') - - allow $1 adb_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_adb_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the adb port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_adb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_adb_port'($*)) dnl - - gen_require(` - type adb_port_t; - ') - - allow $1 adb_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_adb_port'($*)) dnl - ') - - - -######################################## -## -## Send adb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_adb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_adb_client_packets'($*)) dnl - - gen_require(` - type adb_client_packet_t; - ') - - allow $1 adb_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_adb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send adb_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_adb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_adb_client_packets'($*)) dnl - - gen_require(` - type adb_client_packet_t; - ') - - dontaudit $1 adb_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_adb_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive adb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_adb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_adb_client_packets'($*)) dnl - - gen_require(` - type adb_client_packet_t; - ') - - allow $1 adb_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_adb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive adb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_adb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_adb_client_packets'($*)) dnl - - gen_require(` - type adb_client_packet_t; - ') - - dontaudit $1 adb_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_adb_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive adb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_adb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_adb_client_packets'($*)) dnl - - corenet_send_adb_client_packets($1) - corenet_receive_adb_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_adb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive adb_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_adb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_adb_client_packets'($*)) dnl - - corenet_dontaudit_send_adb_client_packets($1) - corenet_dontaudit_receive_adb_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_adb_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to adb_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_adb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_adb_client_packets'($*)) dnl - - gen_require(` - type adb_client_packet_t; - ') - - allow $1 adb_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_adb_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send adb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_adb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_adb_server_packets'($*)) dnl - - gen_require(` - type adb_server_packet_t; - ') - - allow $1 adb_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_adb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send adb_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_adb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_adb_server_packets'($*)) dnl - - gen_require(` - type adb_server_packet_t; - ') - - dontaudit $1 adb_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_adb_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive adb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_adb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_adb_server_packets'($*)) dnl - - gen_require(` - type adb_server_packet_t; - ') - - allow $1 adb_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_adb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive adb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_adb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_adb_server_packets'($*)) dnl - - gen_require(` - type adb_server_packet_t; - ') - - dontaudit $1 adb_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_adb_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive adb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_adb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_adb_server_packets'($*)) dnl - - corenet_send_adb_server_packets($1) - corenet_receive_adb_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_adb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive adb_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_adb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_adb_server_packets'($*)) dnl - - corenet_dontaudit_send_adb_server_packets($1) - corenet_dontaudit_receive_adb_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_adb_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to adb_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_adb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_adb_server_packets'($*)) dnl - - gen_require(` - type adb_server_packet_t; - ') - - allow $1 adb_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_adb_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the afs_bos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_bos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the afs_bos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_bos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the afs_bos port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_bos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the afs_bos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_bos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the afs_bos port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_bos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the afs_bos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_bos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the afs_bos port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_bos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the afs_bos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_bos_port'($*)) dnl - - gen_require(` - type afs_bos_port_t; - ') - - allow $1 afs_bos_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the afs_bos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_bos_port'($*)) dnl - - gen_require(` - type afs_bos_port_t; - ') - - allow $1 afs_bos_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_bos_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the afs_bos port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_afs_bos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_bos_port'($*)) dnl - - gen_require(` - type afs_bos_port_t; - ') - - allow $1 afs_bos_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_bos_port'($*)) dnl - ') - - - -######################################## -## -## Send afs_bos_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_bos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_bos_client_packets'($*)) dnl - - gen_require(` - type afs_bos_client_packet_t; - ') - - allow $1 afs_bos_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_bos_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_bos_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_bos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_bos_client_packets'($*)) dnl - - gen_require(` - type afs_bos_client_packet_t; - ') - - dontaudit $1 afs_bos_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_bos_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_bos_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_bos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_bos_client_packets'($*)) dnl - - gen_require(` - type afs_bos_client_packet_t; - ') - - allow $1 afs_bos_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_bos_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_bos_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_bos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_bos_client_packets'($*)) dnl - - gen_require(` - type afs_bos_client_packet_t; - ') - - dontaudit $1 afs_bos_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_bos_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_bos_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_bos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_bos_client_packets'($*)) dnl - - corenet_send_afs_bos_client_packets($1) - corenet_receive_afs_bos_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_bos_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_bos_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_bos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_bos_client_packets'($*)) dnl - - corenet_dontaudit_send_afs_bos_client_packets($1) - corenet_dontaudit_receive_afs_bos_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_bos_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_bos_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_bos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_bos_client_packets'($*)) dnl - - gen_require(` - type afs_bos_client_packet_t; - ') - - allow $1 afs_bos_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_bos_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send afs_bos_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_bos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_bos_server_packets'($*)) dnl - - gen_require(` - type afs_bos_server_packet_t; - ') - - allow $1 afs_bos_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_bos_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_bos_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_bos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_bos_server_packets'($*)) dnl - - gen_require(` - type afs_bos_server_packet_t; - ') - - dontaudit $1 afs_bos_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_bos_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_bos_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_bos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_bos_server_packets'($*)) dnl - - gen_require(` - type afs_bos_server_packet_t; - ') - - allow $1 afs_bos_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_bos_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_bos_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_bos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_bos_server_packets'($*)) dnl - - gen_require(` - type afs_bos_server_packet_t; - ') - - dontaudit $1 afs_bos_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_bos_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_bos_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_bos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_bos_server_packets'($*)) dnl - - corenet_send_afs_bos_server_packets($1) - corenet_receive_afs_bos_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_bos_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_bos_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_bos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_bos_server_packets'($*)) dnl - - corenet_dontaudit_send_afs_bos_server_packets($1) - corenet_dontaudit_receive_afs_bos_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_bos_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_bos_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_bos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_bos_server_packets'($*)) dnl - - gen_require(` - type afs_bos_server_packet_t; - ') - - allow $1 afs_bos_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_bos_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the afs_fs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_fs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the afs_fs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_fs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the afs_fs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_fs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the afs_fs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_fs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the afs_fs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_fs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the afs_fs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_fs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the afs_fs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_fs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the afs_fs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_fs_port'($*)) dnl - - gen_require(` - type afs_fs_port_t; - ') - - allow $1 afs_fs_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the afs_fs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_fs_port'($*)) dnl - - gen_require(` - type afs_fs_port_t; - ') - - allow $1 afs_fs_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_fs_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the afs_fs port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_afs_fs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_fs_port'($*)) dnl - - gen_require(` - type afs_fs_port_t; - ') - - allow $1 afs_fs_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_fs_port'($*)) dnl - ') - - - -######################################## -## -## Send afs_fs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_fs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_fs_client_packets'($*)) dnl - - gen_require(` - type afs_fs_client_packet_t; - ') - - allow $1 afs_fs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_fs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_fs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_fs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_fs_client_packets'($*)) dnl - - gen_require(` - type afs_fs_client_packet_t; - ') - - dontaudit $1 afs_fs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_fs_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_fs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_fs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_fs_client_packets'($*)) dnl - - gen_require(` - type afs_fs_client_packet_t; - ') - - allow $1 afs_fs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_fs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_fs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_fs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_fs_client_packets'($*)) dnl - - gen_require(` - type afs_fs_client_packet_t; - ') - - dontaudit $1 afs_fs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_fs_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_fs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_fs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_fs_client_packets'($*)) dnl - - corenet_send_afs_fs_client_packets($1) - corenet_receive_afs_fs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_fs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_fs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_fs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_fs_client_packets'($*)) dnl - - corenet_dontaudit_send_afs_fs_client_packets($1) - corenet_dontaudit_receive_afs_fs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_fs_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_fs_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_fs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_fs_client_packets'($*)) dnl - - gen_require(` - type afs_fs_client_packet_t; - ') - - allow $1 afs_fs_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_fs_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send afs_fs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_fs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_fs_server_packets'($*)) dnl - - gen_require(` - type afs_fs_server_packet_t; - ') - - allow $1 afs_fs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_fs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_fs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_fs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_fs_server_packets'($*)) dnl - - gen_require(` - type afs_fs_server_packet_t; - ') - - dontaudit $1 afs_fs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_fs_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_fs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_fs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_fs_server_packets'($*)) dnl - - gen_require(` - type afs_fs_server_packet_t; - ') - - allow $1 afs_fs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_fs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_fs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_fs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_fs_server_packets'($*)) dnl - - gen_require(` - type afs_fs_server_packet_t; - ') - - dontaudit $1 afs_fs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_fs_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_fs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_fs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_fs_server_packets'($*)) dnl - - corenet_send_afs_fs_server_packets($1) - corenet_receive_afs_fs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_fs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_fs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_fs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_fs_server_packets'($*)) dnl - - corenet_dontaudit_send_afs_fs_server_packets($1) - corenet_dontaudit_receive_afs_fs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_fs_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_fs_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_fs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_fs_server_packets'($*)) dnl - - gen_require(` - type afs_fs_server_packet_t; - ') - - allow $1 afs_fs_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_fs_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the afs_ka port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_ka_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the afs_ka port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_ka_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the afs_ka port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_ka_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the afs_ka port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_ka_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the afs_ka port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_ka_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the afs_ka port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_ka_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the afs_ka port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_ka_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the afs_ka port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_ka_port'($*)) dnl - - gen_require(` - type afs_ka_port_t; - ') - - allow $1 afs_ka_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the afs_ka port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_ka_port'($*)) dnl - - gen_require(` - type afs_ka_port_t; - ') - - allow $1 afs_ka_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_ka_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the afs_ka port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_afs_ka_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_ka_port'($*)) dnl - - gen_require(` - type afs_ka_port_t; - ') - - allow $1 afs_ka_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_ka_port'($*)) dnl - ') - - - -######################################## -## -## Send afs_ka_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_ka_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_ka_client_packets'($*)) dnl - - gen_require(` - type afs_ka_client_packet_t; - ') - - allow $1 afs_ka_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_ka_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_ka_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_ka_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_ka_client_packets'($*)) dnl - - gen_require(` - type afs_ka_client_packet_t; - ') - - dontaudit $1 afs_ka_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_ka_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_ka_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_ka_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_ka_client_packets'($*)) dnl - - gen_require(` - type afs_ka_client_packet_t; - ') - - allow $1 afs_ka_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_ka_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_ka_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_ka_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_ka_client_packets'($*)) dnl - - gen_require(` - type afs_ka_client_packet_t; - ') - - dontaudit $1 afs_ka_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_ka_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_ka_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_ka_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_ka_client_packets'($*)) dnl - - corenet_send_afs_ka_client_packets($1) - corenet_receive_afs_ka_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_ka_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_ka_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_ka_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_ka_client_packets'($*)) dnl - - corenet_dontaudit_send_afs_ka_client_packets($1) - corenet_dontaudit_receive_afs_ka_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_ka_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_ka_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_ka_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_ka_client_packets'($*)) dnl - - gen_require(` - type afs_ka_client_packet_t; - ') - - allow $1 afs_ka_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_ka_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send afs_ka_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_ka_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_ka_server_packets'($*)) dnl - - gen_require(` - type afs_ka_server_packet_t; - ') - - allow $1 afs_ka_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_ka_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_ka_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_ka_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_ka_server_packets'($*)) dnl - - gen_require(` - type afs_ka_server_packet_t; - ') - - dontaudit $1 afs_ka_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_ka_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_ka_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_ka_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_ka_server_packets'($*)) dnl - - gen_require(` - type afs_ka_server_packet_t; - ') - - allow $1 afs_ka_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_ka_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_ka_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_ka_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_ka_server_packets'($*)) dnl - - gen_require(` - type afs_ka_server_packet_t; - ') - - dontaudit $1 afs_ka_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_ka_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_ka_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_ka_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_ka_server_packets'($*)) dnl - - corenet_send_afs_ka_server_packets($1) - corenet_receive_afs_ka_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_ka_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_ka_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_ka_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_ka_server_packets'($*)) dnl - - corenet_dontaudit_send_afs_ka_server_packets($1) - corenet_dontaudit_receive_afs_ka_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_ka_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_ka_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_ka_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_ka_server_packets'($*)) dnl - - gen_require(` - type afs_ka_server_packet_t; - ') - - allow $1 afs_ka_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_ka_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the afs_pt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_pt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the afs_pt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_pt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the afs_pt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_pt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the afs_pt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_pt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the afs_pt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_pt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the afs_pt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_pt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the afs_pt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_pt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the afs_pt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_pt_port'($*)) dnl - - gen_require(` - type afs_pt_port_t; - ') - - allow $1 afs_pt_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the afs_pt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_pt_port'($*)) dnl - - gen_require(` - type afs_pt_port_t; - ') - - allow $1 afs_pt_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_pt_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the afs_pt port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_afs_pt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_pt_port'($*)) dnl - - gen_require(` - type afs_pt_port_t; - ') - - allow $1 afs_pt_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_pt_port'($*)) dnl - ') - - - -######################################## -## -## Send afs_pt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_pt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_pt_client_packets'($*)) dnl - - gen_require(` - type afs_pt_client_packet_t; - ') - - allow $1 afs_pt_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_pt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_pt_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_pt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_pt_client_packets'($*)) dnl - - gen_require(` - type afs_pt_client_packet_t; - ') - - dontaudit $1 afs_pt_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_pt_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_pt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_pt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_pt_client_packets'($*)) dnl - - gen_require(` - type afs_pt_client_packet_t; - ') - - allow $1 afs_pt_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_pt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_pt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_pt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_pt_client_packets'($*)) dnl - - gen_require(` - type afs_pt_client_packet_t; - ') - - dontaudit $1 afs_pt_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_pt_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_pt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_pt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_pt_client_packets'($*)) dnl - - corenet_send_afs_pt_client_packets($1) - corenet_receive_afs_pt_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_pt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_pt_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_pt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_pt_client_packets'($*)) dnl - - corenet_dontaudit_send_afs_pt_client_packets($1) - corenet_dontaudit_receive_afs_pt_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_pt_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_pt_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_pt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_pt_client_packets'($*)) dnl - - gen_require(` - type afs_pt_client_packet_t; - ') - - allow $1 afs_pt_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_pt_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send afs_pt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_pt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_pt_server_packets'($*)) dnl - - gen_require(` - type afs_pt_server_packet_t; - ') - - allow $1 afs_pt_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_pt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_pt_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_pt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_pt_server_packets'($*)) dnl - - gen_require(` - type afs_pt_server_packet_t; - ') - - dontaudit $1 afs_pt_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_pt_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_pt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_pt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_pt_server_packets'($*)) dnl - - gen_require(` - type afs_pt_server_packet_t; - ') - - allow $1 afs_pt_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_pt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_pt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_pt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_pt_server_packets'($*)) dnl - - gen_require(` - type afs_pt_server_packet_t; - ') - - dontaudit $1 afs_pt_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_pt_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_pt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_pt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_pt_server_packets'($*)) dnl - - corenet_send_afs_pt_server_packets($1) - corenet_receive_afs_pt_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_pt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_pt_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_pt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_pt_server_packets'($*)) dnl - - corenet_dontaudit_send_afs_pt_server_packets($1) - corenet_dontaudit_receive_afs_pt_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_pt_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_pt_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_pt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_pt_server_packets'($*)) dnl - - gen_require(` - type afs_pt_server_packet_t; - ') - - allow $1 afs_pt_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_pt_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the afs_vl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_vl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the afs_vl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_vl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the afs_vl port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_vl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the afs_vl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_vl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the afs_vl port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_vl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the afs_vl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_vl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the afs_vl port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_vl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the afs_vl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_vl_port'($*)) dnl - - gen_require(` - type afs_vl_port_t; - ') - - allow $1 afs_vl_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the afs_vl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_vl_port'($*)) dnl - - gen_require(` - type afs_vl_port_t; - ') - - allow $1 afs_vl_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_vl_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the afs_vl port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_afs_vl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_vl_port'($*)) dnl - - gen_require(` - type afs_vl_port_t; - ') - - allow $1 afs_vl_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_vl_port'($*)) dnl - ') - - - -######################################## -## -## Send afs_vl_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_vl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_vl_client_packets'($*)) dnl - - gen_require(` - type afs_vl_client_packet_t; - ') - - allow $1 afs_vl_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_vl_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_vl_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_vl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_vl_client_packets'($*)) dnl - - gen_require(` - type afs_vl_client_packet_t; - ') - - dontaudit $1 afs_vl_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_vl_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_vl_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_vl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_vl_client_packets'($*)) dnl - - gen_require(` - type afs_vl_client_packet_t; - ') - - allow $1 afs_vl_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_vl_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_vl_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_vl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_vl_client_packets'($*)) dnl - - gen_require(` - type afs_vl_client_packet_t; - ') - - dontaudit $1 afs_vl_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_vl_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_vl_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_vl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_vl_client_packets'($*)) dnl - - corenet_send_afs_vl_client_packets($1) - corenet_receive_afs_vl_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_vl_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_vl_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_vl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_vl_client_packets'($*)) dnl - - corenet_dontaudit_send_afs_vl_client_packets($1) - corenet_dontaudit_receive_afs_vl_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_vl_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_vl_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_vl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_vl_client_packets'($*)) dnl - - gen_require(` - type afs_vl_client_packet_t; - ') - - allow $1 afs_vl_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_vl_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send afs_vl_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs_vl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs_vl_server_packets'($*)) dnl - - gen_require(` - type afs_vl_server_packet_t; - ') - - allow $1 afs_vl_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs_vl_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs_vl_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs_vl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_vl_server_packets'($*)) dnl - - gen_require(` - type afs_vl_server_packet_t; - ') - - dontaudit $1 afs_vl_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_vl_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs_vl_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs_vl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_vl_server_packets'($*)) dnl - - gen_require(` - type afs_vl_server_packet_t; - ') - - allow $1 afs_vl_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs_vl_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs_vl_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs_vl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_vl_server_packets'($*)) dnl - - gen_require(` - type afs_vl_server_packet_t; - ') - - dontaudit $1 afs_vl_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_vl_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs_vl_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs_vl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_vl_server_packets'($*)) dnl - - corenet_send_afs_vl_server_packets($1) - corenet_receive_afs_vl_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_vl_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs_vl_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs_vl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_vl_server_packets'($*)) dnl - - corenet_dontaudit_send_afs_vl_server_packets($1) - corenet_dontaudit_receive_afs_vl_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_vl_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs_vl_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs_vl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_vl_server_packets'($*)) dnl - - gen_require(` - type afs_vl_server_packet_t; - ') - - allow $1 afs_vl_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_vl_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the afs3_callback port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs3_callback_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the afs3_callback port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs3_callback_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the afs3_callback port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs3_callback_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the afs3_callback port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs3_callback_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the afs3_callback port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs3_callback_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the afs3_callback port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs3_callback_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the afs3_callback port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs3_callback_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the afs3_callback port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs3_callback_port'($*)) dnl - - gen_require(` - type afs3_callback_port_t; - ') - - allow $1 afs3_callback_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the afs3_callback port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs3_callback_port'($*)) dnl - - gen_require(` - type afs3_callback_port_t; - ') - - allow $1 afs3_callback_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs3_callback_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the afs3_callback port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_afs3_callback_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs3_callback_port'($*)) dnl - - gen_require(` - type afs3_callback_port_t; - ') - - allow $1 afs3_callback_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs3_callback_port'($*)) dnl - ') - - - -######################################## -## -## Send afs3_callback_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs3_callback_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs3_callback_client_packets'($*)) dnl - - gen_require(` - type afs3_callback_client_packet_t; - ') - - allow $1 afs3_callback_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs3_callback_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs3_callback_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs3_callback_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs3_callback_client_packets'($*)) dnl - - gen_require(` - type afs3_callback_client_packet_t; - ') - - dontaudit $1 afs3_callback_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs3_callback_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs3_callback_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs3_callback_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs3_callback_client_packets'($*)) dnl - - gen_require(` - type afs3_callback_client_packet_t; - ') - - allow $1 afs3_callback_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs3_callback_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs3_callback_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs3_callback_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs3_callback_client_packets'($*)) dnl - - gen_require(` - type afs3_callback_client_packet_t; - ') - - dontaudit $1 afs3_callback_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs3_callback_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs3_callback_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs3_callback_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs3_callback_client_packets'($*)) dnl - - corenet_send_afs3_callback_client_packets($1) - corenet_receive_afs3_callback_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs3_callback_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs3_callback_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs3_callback_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs3_callback_client_packets'($*)) dnl - - corenet_dontaudit_send_afs3_callback_client_packets($1) - corenet_dontaudit_receive_afs3_callback_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs3_callback_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs3_callback_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs3_callback_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs3_callback_client_packets'($*)) dnl - - gen_require(` - type afs3_callback_client_packet_t; - ') - - allow $1 afs3_callback_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs3_callback_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send afs3_callback_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_afs3_callback_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_afs3_callback_server_packets'($*)) dnl - - gen_require(` - type afs3_callback_server_packet_t; - ') - - allow $1 afs3_callback_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_afs3_callback_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send afs3_callback_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_afs3_callback_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs3_callback_server_packets'($*)) dnl - - gen_require(` - type afs3_callback_server_packet_t; - ') - - dontaudit $1 afs3_callback_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs3_callback_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive afs3_callback_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_afs3_callback_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_afs3_callback_server_packets'($*)) dnl - - gen_require(` - type afs3_callback_server_packet_t; - ') - - allow $1 afs3_callback_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_afs3_callback_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive afs3_callback_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_afs3_callback_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs3_callback_server_packets'($*)) dnl - - gen_require(` - type afs3_callback_server_packet_t; - ') - - dontaudit $1 afs3_callback_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs3_callback_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive afs3_callback_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_afs3_callback_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs3_callback_server_packets'($*)) dnl - - corenet_send_afs3_callback_server_packets($1) - corenet_receive_afs3_callback_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs3_callback_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive afs3_callback_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_afs3_callback_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs3_callback_server_packets'($*)) dnl - - corenet_dontaudit_send_afs3_callback_server_packets($1) - corenet_dontaudit_receive_afs3_callback_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs3_callback_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to afs3_callback_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_afs3_callback_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs3_callback_server_packets'($*)) dnl - - gen_require(` - type afs3_callback_server_packet_t; - ') - - allow $1 afs3_callback_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs3_callback_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the agentx port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_agentx_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_agentx_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the agentx port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_agentx_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_agentx_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the agentx port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_agentx_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_agentx_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the agentx port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_agentx_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_agentx_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the agentx port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_agentx_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_agentx_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the agentx port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_agentx_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_agentx_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the agentx port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_agentx_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_agentx_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the agentx port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_agentx_port'($*)) dnl - - gen_require(` - type agentx_port_t; - ') - - allow $1 agentx_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_agentx_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the agentx port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_agentx_port'($*)) dnl - - gen_require(` - type agentx_port_t; - ') - - allow $1 agentx_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_agentx_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the agentx port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_agentx_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_agentx_port'($*)) dnl - - gen_require(` - type agentx_port_t; - ') - - allow $1 agentx_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_agentx_port'($*)) dnl - ') - - - -######################################## -## -## Send agentx_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_agentx_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_agentx_client_packets'($*)) dnl - - gen_require(` - type agentx_client_packet_t; - ') - - allow $1 agentx_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_agentx_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send agentx_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_agentx_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_agentx_client_packets'($*)) dnl - - gen_require(` - type agentx_client_packet_t; - ') - - dontaudit $1 agentx_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_agentx_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive agentx_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_agentx_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_agentx_client_packets'($*)) dnl - - gen_require(` - type agentx_client_packet_t; - ') - - allow $1 agentx_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_agentx_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive agentx_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_agentx_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_agentx_client_packets'($*)) dnl - - gen_require(` - type agentx_client_packet_t; - ') - - dontaudit $1 agentx_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_agentx_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive agentx_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_agentx_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_agentx_client_packets'($*)) dnl - - corenet_send_agentx_client_packets($1) - corenet_receive_agentx_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_agentx_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive agentx_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_agentx_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_agentx_client_packets'($*)) dnl - - corenet_dontaudit_send_agentx_client_packets($1) - corenet_dontaudit_receive_agentx_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_agentx_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to agentx_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_agentx_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_agentx_client_packets'($*)) dnl - - gen_require(` - type agentx_client_packet_t; - ') - - allow $1 agentx_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_agentx_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send agentx_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_agentx_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_agentx_server_packets'($*)) dnl - - gen_require(` - type agentx_server_packet_t; - ') - - allow $1 agentx_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_agentx_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send agentx_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_agentx_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_agentx_server_packets'($*)) dnl - - gen_require(` - type agentx_server_packet_t; - ') - - dontaudit $1 agentx_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_agentx_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive agentx_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_agentx_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_agentx_server_packets'($*)) dnl - - gen_require(` - type agentx_server_packet_t; - ') - - allow $1 agentx_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_agentx_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive agentx_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_agentx_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_agentx_server_packets'($*)) dnl - - gen_require(` - type agentx_server_packet_t; - ') - - dontaudit $1 agentx_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_agentx_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive agentx_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_agentx_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_agentx_server_packets'($*)) dnl - - corenet_send_agentx_server_packets($1) - corenet_receive_agentx_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_agentx_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive agentx_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_agentx_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_agentx_server_packets'($*)) dnl - - corenet_dontaudit_send_agentx_server_packets($1) - corenet_dontaudit_receive_agentx_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_agentx_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to agentx_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_agentx_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_agentx_server_packets'($*)) dnl - - gen_require(` - type agentx_server_packet_t; - ') - - allow $1 agentx_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_agentx_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the amanda port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amanda_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amanda_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the amanda port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amanda_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_amanda_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the amanda port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amanda_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amanda_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the amanda port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amanda_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amanda_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the amanda port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amanda_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amanda_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the amanda port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amanda_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amanda_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the amanda port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amanda_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amanda_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the amanda port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amanda_port'($*)) dnl - - gen_require(` - type amanda_port_t; - ') - - allow $1 amanda_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amanda_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the amanda port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amanda_port'($*)) dnl - - gen_require(` - type amanda_port_t; - ') - - allow $1 amanda_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amanda_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the amanda port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_amanda_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amanda_port'($*)) dnl - - gen_require(` - type amanda_port_t; - ') - - allow $1 amanda_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amanda_port'($*)) dnl - ') - - - -######################################## -## -## Send amanda_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_amanda_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_amanda_client_packets'($*)) dnl - - gen_require(` - type amanda_client_packet_t; - ') - - allow $1 amanda_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_amanda_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send amanda_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_amanda_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amanda_client_packets'($*)) dnl - - gen_require(` - type amanda_client_packet_t; - ') - - dontaudit $1 amanda_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amanda_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive amanda_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_amanda_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_amanda_client_packets'($*)) dnl - - gen_require(` - type amanda_client_packet_t; - ') - - allow $1 amanda_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_amanda_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive amanda_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_amanda_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amanda_client_packets'($*)) dnl - - gen_require(` - type amanda_client_packet_t; - ') - - dontaudit $1 amanda_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amanda_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive amanda_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_amanda_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amanda_client_packets'($*)) dnl - - corenet_send_amanda_client_packets($1) - corenet_receive_amanda_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amanda_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive amanda_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_amanda_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amanda_client_packets'($*)) dnl - - corenet_dontaudit_send_amanda_client_packets($1) - corenet_dontaudit_receive_amanda_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amanda_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to amanda_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_amanda_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amanda_client_packets'($*)) dnl - - gen_require(` - type amanda_client_packet_t; - ') - - allow $1 amanda_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_amanda_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send amanda_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_amanda_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_amanda_server_packets'($*)) dnl - - gen_require(` - type amanda_server_packet_t; - ') - - allow $1 amanda_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_amanda_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send amanda_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_amanda_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amanda_server_packets'($*)) dnl - - gen_require(` - type amanda_server_packet_t; - ') - - dontaudit $1 amanda_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amanda_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive amanda_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_amanda_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_amanda_server_packets'($*)) dnl - - gen_require(` - type amanda_server_packet_t; - ') - - allow $1 amanda_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_amanda_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive amanda_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_amanda_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amanda_server_packets'($*)) dnl - - gen_require(` - type amanda_server_packet_t; - ') - - dontaudit $1 amanda_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amanda_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive amanda_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_amanda_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amanda_server_packets'($*)) dnl - - corenet_send_amanda_server_packets($1) - corenet_receive_amanda_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amanda_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive amanda_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_amanda_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amanda_server_packets'($*)) dnl - - corenet_dontaudit_send_amanda_server_packets($1) - corenet_dontaudit_receive_amanda_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amanda_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to amanda_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_amanda_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amanda_server_packets'($*)) dnl - - gen_require(` - type amanda_server_packet_t; - ') - - allow $1 amanda_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_amanda_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the amavisd_recv port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amavisd_recv_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the amavisd_recv port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amavisd_recv_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the amavisd_recv port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amavisd_recv_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the amavisd_recv port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amavisd_recv_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the amavisd_recv port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amavisd_recv_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the amavisd_recv port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amavisd_recv_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the amavisd_recv port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amavisd_recv_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the amavisd_recv port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amavisd_recv_port'($*)) dnl - - gen_require(` - type amavisd_recv_port_t; - ') - - allow $1 amavisd_recv_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the amavisd_recv port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amavisd_recv_port'($*)) dnl - - gen_require(` - type amavisd_recv_port_t; - ') - - allow $1 amavisd_recv_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amavisd_recv_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the amavisd_recv port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_amavisd_recv_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amavisd_recv_port'($*)) dnl - - gen_require(` - type amavisd_recv_port_t; - ') - - allow $1 amavisd_recv_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amavisd_recv_port'($*)) dnl - ') - - - -######################################## -## -## Send amavisd_recv_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_amavisd_recv_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_recv_client_packets'($*)) dnl - - gen_require(` - type amavisd_recv_client_packet_t; - ') - - allow $1 amavisd_recv_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_recv_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send amavisd_recv_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_amavisd_recv_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_recv_client_packets'($*)) dnl - - gen_require(` - type amavisd_recv_client_packet_t; - ') - - dontaudit $1 amavisd_recv_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_recv_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive amavisd_recv_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_amavisd_recv_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_recv_client_packets'($*)) dnl - - gen_require(` - type amavisd_recv_client_packet_t; - ') - - allow $1 amavisd_recv_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_recv_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive amavisd_recv_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_amavisd_recv_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_recv_client_packets'($*)) dnl - - gen_require(` - type amavisd_recv_client_packet_t; - ') - - dontaudit $1 amavisd_recv_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_recv_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive amavisd_recv_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_amavisd_recv_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_recv_client_packets'($*)) dnl - - corenet_send_amavisd_recv_client_packets($1) - corenet_receive_amavisd_recv_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_recv_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive amavisd_recv_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_amavisd_recv_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_recv_client_packets'($*)) dnl - - corenet_dontaudit_send_amavisd_recv_client_packets($1) - corenet_dontaudit_receive_amavisd_recv_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_recv_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to amavisd_recv_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_amavisd_recv_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_recv_client_packets'($*)) dnl - - gen_require(` - type amavisd_recv_client_packet_t; - ') - - allow $1 amavisd_recv_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_recv_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send amavisd_recv_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_amavisd_recv_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_recv_server_packets'($*)) dnl - - gen_require(` - type amavisd_recv_server_packet_t; - ') - - allow $1 amavisd_recv_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_recv_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send amavisd_recv_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_amavisd_recv_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_recv_server_packets'($*)) dnl - - gen_require(` - type amavisd_recv_server_packet_t; - ') - - dontaudit $1 amavisd_recv_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_recv_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive amavisd_recv_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_amavisd_recv_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_recv_server_packets'($*)) dnl - - gen_require(` - type amavisd_recv_server_packet_t; - ') - - allow $1 amavisd_recv_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_recv_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive amavisd_recv_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_amavisd_recv_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_recv_server_packets'($*)) dnl - - gen_require(` - type amavisd_recv_server_packet_t; - ') - - dontaudit $1 amavisd_recv_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_recv_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive amavisd_recv_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_amavisd_recv_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_recv_server_packets'($*)) dnl - - corenet_send_amavisd_recv_server_packets($1) - corenet_receive_amavisd_recv_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_recv_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive amavisd_recv_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_amavisd_recv_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_recv_server_packets'($*)) dnl - - corenet_dontaudit_send_amavisd_recv_server_packets($1) - corenet_dontaudit_receive_amavisd_recv_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_recv_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to amavisd_recv_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_amavisd_recv_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_recv_server_packets'($*)) dnl - - gen_require(` - type amavisd_recv_server_packet_t; - ') - - allow $1 amavisd_recv_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_recv_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the amavisd_send port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amavisd_send_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the amavisd_send port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amavisd_send_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the amavisd_send port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amavisd_send_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the amavisd_send port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amavisd_send_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the amavisd_send port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amavisd_send_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the amavisd_send port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amavisd_send_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the amavisd_send port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amavisd_send_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the amavisd_send port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amavisd_send_port'($*)) dnl - - gen_require(` - type amavisd_send_port_t; - ') - - allow $1 amavisd_send_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the amavisd_send port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amavisd_send_port'($*)) dnl - - gen_require(` - type amavisd_send_port_t; - ') - - allow $1 amavisd_send_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amavisd_send_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the amavisd_send port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_amavisd_send_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amavisd_send_port'($*)) dnl - - gen_require(` - type amavisd_send_port_t; - ') - - allow $1 amavisd_send_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amavisd_send_port'($*)) dnl - ') - - - -######################################## -## -## Send amavisd_send_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_amavisd_send_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_send_client_packets'($*)) dnl - - gen_require(` - type amavisd_send_client_packet_t; - ') - - allow $1 amavisd_send_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_send_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send amavisd_send_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_amavisd_send_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_send_client_packets'($*)) dnl - - gen_require(` - type amavisd_send_client_packet_t; - ') - - dontaudit $1 amavisd_send_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_send_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive amavisd_send_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_amavisd_send_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_send_client_packets'($*)) dnl - - gen_require(` - type amavisd_send_client_packet_t; - ') - - allow $1 amavisd_send_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_send_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive amavisd_send_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_amavisd_send_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_send_client_packets'($*)) dnl - - gen_require(` - type amavisd_send_client_packet_t; - ') - - dontaudit $1 amavisd_send_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_send_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive amavisd_send_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_amavisd_send_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_send_client_packets'($*)) dnl - - corenet_send_amavisd_send_client_packets($1) - corenet_receive_amavisd_send_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_send_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive amavisd_send_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_amavisd_send_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_send_client_packets'($*)) dnl - - corenet_dontaudit_send_amavisd_send_client_packets($1) - corenet_dontaudit_receive_amavisd_send_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_send_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to amavisd_send_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_amavisd_send_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_send_client_packets'($*)) dnl - - gen_require(` - type amavisd_send_client_packet_t; - ') - - allow $1 amavisd_send_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_send_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send amavisd_send_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_amavisd_send_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_send_server_packets'($*)) dnl - - gen_require(` - type amavisd_send_server_packet_t; - ') - - allow $1 amavisd_send_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_send_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send amavisd_send_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_amavisd_send_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_send_server_packets'($*)) dnl - - gen_require(` - type amavisd_send_server_packet_t; - ') - - dontaudit $1 amavisd_send_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_send_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive amavisd_send_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_amavisd_send_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_send_server_packets'($*)) dnl - - gen_require(` - type amavisd_send_server_packet_t; - ') - - allow $1 amavisd_send_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_send_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive amavisd_send_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_amavisd_send_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_send_server_packets'($*)) dnl - - gen_require(` - type amavisd_send_server_packet_t; - ') - - dontaudit $1 amavisd_send_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_send_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive amavisd_send_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_amavisd_send_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_send_server_packets'($*)) dnl - - corenet_send_amavisd_send_server_packets($1) - corenet_receive_amavisd_send_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_send_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive amavisd_send_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_amavisd_send_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_send_server_packets'($*)) dnl - - corenet_dontaudit_send_amavisd_send_server_packets($1) - corenet_dontaudit_receive_amavisd_send_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_send_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to amavisd_send_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_amavisd_send_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_send_server_packets'($*)) dnl - - gen_require(` - type amavisd_send_server_packet_t; - ') - - allow $1 amavisd_send_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_send_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the amqp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amqp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amqp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the amqp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amqp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_amqp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the amqp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amqp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amqp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the amqp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amqp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amqp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the amqp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amqp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amqp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the amqp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amqp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amqp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the amqp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amqp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amqp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the amqp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amqp_port'($*)) dnl - - gen_require(` - type amqp_port_t; - ') - - allow $1 amqp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amqp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the amqp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amqp_port'($*)) dnl - - gen_require(` - type amqp_port_t; - ') - - allow $1 amqp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amqp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the amqp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_amqp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amqp_port'($*)) dnl - - gen_require(` - type amqp_port_t; - ') - - allow $1 amqp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amqp_port'($*)) dnl - ') - - - -######################################## -## -## Send amqp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_amqp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_amqp_client_packets'($*)) dnl - - gen_require(` - type amqp_client_packet_t; - ') - - allow $1 amqp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_amqp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send amqp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_amqp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amqp_client_packets'($*)) dnl - - gen_require(` - type amqp_client_packet_t; - ') - - dontaudit $1 amqp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amqp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive amqp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_amqp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_amqp_client_packets'($*)) dnl - - gen_require(` - type amqp_client_packet_t; - ') - - allow $1 amqp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_amqp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive amqp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_amqp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amqp_client_packets'($*)) dnl - - gen_require(` - type amqp_client_packet_t; - ') - - dontaudit $1 amqp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amqp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive amqp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_amqp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amqp_client_packets'($*)) dnl - - corenet_send_amqp_client_packets($1) - corenet_receive_amqp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amqp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive amqp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_amqp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amqp_client_packets'($*)) dnl - - corenet_dontaudit_send_amqp_client_packets($1) - corenet_dontaudit_receive_amqp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amqp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to amqp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_amqp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amqp_client_packets'($*)) dnl - - gen_require(` - type amqp_client_packet_t; - ') - - allow $1 amqp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_amqp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send amqp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_amqp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_amqp_server_packets'($*)) dnl - - gen_require(` - type amqp_server_packet_t; - ') - - allow $1 amqp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_amqp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send amqp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_amqp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amqp_server_packets'($*)) dnl - - gen_require(` - type amqp_server_packet_t; - ') - - dontaudit $1 amqp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amqp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive amqp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_amqp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_amqp_server_packets'($*)) dnl - - gen_require(` - type amqp_server_packet_t; - ') - - allow $1 amqp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_amqp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive amqp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_amqp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amqp_server_packets'($*)) dnl - - gen_require(` - type amqp_server_packet_t; - ') - - dontaudit $1 amqp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amqp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive amqp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_amqp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amqp_server_packets'($*)) dnl - - corenet_send_amqp_server_packets($1) - corenet_receive_amqp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amqp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive amqp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_amqp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amqp_server_packets'($*)) dnl - - corenet_dontaudit_send_amqp_server_packets($1) - corenet_dontaudit_receive_amqp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amqp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to amqp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_amqp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amqp_server_packets'($*)) dnl - - gen_require(` - type amqp_server_packet_t; - ') - - allow $1 amqp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_amqp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the aol port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_aol_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_aol_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the aol port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_aol_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_aol_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the aol port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_aol_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_aol_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the aol port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_aol_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_aol_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the aol port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_aol_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_aol_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the aol port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_aol_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_aol_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the aol port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_aol_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_aol_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the aol port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_aol_port'($*)) dnl - - gen_require(` - type aol_port_t; - ') - - allow $1 aol_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_aol_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the aol port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_aol_port'($*)) dnl - - gen_require(` - type aol_port_t; - ') - - allow $1 aol_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_aol_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the aol port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_aol_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_aol_port'($*)) dnl - - gen_require(` - type aol_port_t; - ') - - allow $1 aol_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_aol_port'($*)) dnl - ') - - - -######################################## -## -## Send aol_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_aol_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_aol_client_packets'($*)) dnl - - gen_require(` - type aol_client_packet_t; - ') - - allow $1 aol_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_aol_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send aol_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_aol_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_aol_client_packets'($*)) dnl - - gen_require(` - type aol_client_packet_t; - ') - - dontaudit $1 aol_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_aol_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive aol_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_aol_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_aol_client_packets'($*)) dnl - - gen_require(` - type aol_client_packet_t; - ') - - allow $1 aol_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_aol_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive aol_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_aol_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_aol_client_packets'($*)) dnl - - gen_require(` - type aol_client_packet_t; - ') - - dontaudit $1 aol_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_aol_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive aol_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_aol_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_aol_client_packets'($*)) dnl - - corenet_send_aol_client_packets($1) - corenet_receive_aol_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_aol_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive aol_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_aol_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_aol_client_packets'($*)) dnl - - corenet_dontaudit_send_aol_client_packets($1) - corenet_dontaudit_receive_aol_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_aol_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to aol_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_aol_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_aol_client_packets'($*)) dnl - - gen_require(` - type aol_client_packet_t; - ') - - allow $1 aol_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_aol_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send aol_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_aol_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_aol_server_packets'($*)) dnl - - gen_require(` - type aol_server_packet_t; - ') - - allow $1 aol_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_aol_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send aol_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_aol_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_aol_server_packets'($*)) dnl - - gen_require(` - type aol_server_packet_t; - ') - - dontaudit $1 aol_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_aol_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive aol_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_aol_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_aol_server_packets'($*)) dnl - - gen_require(` - type aol_server_packet_t; - ') - - allow $1 aol_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_aol_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive aol_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_aol_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_aol_server_packets'($*)) dnl - - gen_require(` - type aol_server_packet_t; - ') - - dontaudit $1 aol_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_aol_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive aol_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_aol_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_aol_server_packets'($*)) dnl - - corenet_send_aol_server_packets($1) - corenet_receive_aol_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_aol_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive aol_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_aol_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_aol_server_packets'($*)) dnl - - corenet_dontaudit_send_aol_server_packets($1) - corenet_dontaudit_receive_aol_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_aol_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to aol_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_aol_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_aol_server_packets'($*)) dnl - - gen_require(` - type aol_server_packet_t; - ') - - allow $1 aol_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_aol_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the apcupsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apcupsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the apcupsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apcupsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the apcupsd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apcupsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the apcupsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apcupsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the apcupsd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apcupsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the apcupsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apcupsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the apcupsd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apcupsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the apcupsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apcupsd_port'($*)) dnl - - gen_require(` - type apcupsd_port_t; - ') - - allow $1 apcupsd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the apcupsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apcupsd_port'($*)) dnl - - gen_require(` - type apcupsd_port_t; - ') - - allow $1 apcupsd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apcupsd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the apcupsd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_apcupsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apcupsd_port'($*)) dnl - - gen_require(` - type apcupsd_port_t; - ') - - allow $1 apcupsd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apcupsd_port'($*)) dnl - ') - - - -######################################## -## -## Send apcupsd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_apcupsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_apcupsd_client_packets'($*)) dnl - - gen_require(` - type apcupsd_client_packet_t; - ') - - allow $1 apcupsd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_apcupsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send apcupsd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_apcupsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apcupsd_client_packets'($*)) dnl - - gen_require(` - type apcupsd_client_packet_t; - ') - - dontaudit $1 apcupsd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apcupsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive apcupsd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_apcupsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_apcupsd_client_packets'($*)) dnl - - gen_require(` - type apcupsd_client_packet_t; - ') - - allow $1 apcupsd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_apcupsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive apcupsd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_apcupsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apcupsd_client_packets'($*)) dnl - - gen_require(` - type apcupsd_client_packet_t; - ') - - dontaudit $1 apcupsd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apcupsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive apcupsd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_apcupsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apcupsd_client_packets'($*)) dnl - - corenet_send_apcupsd_client_packets($1) - corenet_receive_apcupsd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apcupsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive apcupsd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_apcupsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apcupsd_client_packets'($*)) dnl - - corenet_dontaudit_send_apcupsd_client_packets($1) - corenet_dontaudit_receive_apcupsd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apcupsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to apcupsd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_apcupsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apcupsd_client_packets'($*)) dnl - - gen_require(` - type apcupsd_client_packet_t; - ') - - allow $1 apcupsd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_apcupsd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send apcupsd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_apcupsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_apcupsd_server_packets'($*)) dnl - - gen_require(` - type apcupsd_server_packet_t; - ') - - allow $1 apcupsd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_apcupsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send apcupsd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_apcupsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apcupsd_server_packets'($*)) dnl - - gen_require(` - type apcupsd_server_packet_t; - ') - - dontaudit $1 apcupsd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apcupsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive apcupsd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_apcupsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_apcupsd_server_packets'($*)) dnl - - gen_require(` - type apcupsd_server_packet_t; - ') - - allow $1 apcupsd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_apcupsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive apcupsd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_apcupsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apcupsd_server_packets'($*)) dnl - - gen_require(` - type apcupsd_server_packet_t; - ') - - dontaudit $1 apcupsd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apcupsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive apcupsd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_apcupsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apcupsd_server_packets'($*)) dnl - - corenet_send_apcupsd_server_packets($1) - corenet_receive_apcupsd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apcupsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive apcupsd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_apcupsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apcupsd_server_packets'($*)) dnl - - corenet_dontaudit_send_apcupsd_server_packets($1) - corenet_dontaudit_receive_apcupsd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apcupsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to apcupsd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_apcupsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apcupsd_server_packets'($*)) dnl - - gen_require(` - type apcupsd_server_packet_t; - ') - - allow $1 apcupsd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_apcupsd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the apertus_ldp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apertus_ldp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the apertus_ldp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apertus_ldp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the apertus_ldp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apertus_ldp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the apertus_ldp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apertus_ldp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the apertus_ldp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apertus_ldp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the apertus_ldp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apertus_ldp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the apertus_ldp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apertus_ldp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the apertus_ldp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apertus_ldp_port'($*)) dnl - - gen_require(` - type apertus_ldp_port_t; - ') - - allow $1 apertus_ldp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the apertus_ldp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apertus_ldp_port'($*)) dnl - - gen_require(` - type apertus_ldp_port_t; - ') - - allow $1 apertus_ldp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apertus_ldp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the apertus_ldp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_apertus_ldp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apertus_ldp_port'($*)) dnl - - gen_require(` - type apertus_ldp_port_t; - ') - - allow $1 apertus_ldp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apertus_ldp_port'($*)) dnl - ') - - - -######################################## -## -## Send apertus_ldp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_apertus_ldp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_apertus_ldp_client_packets'($*)) dnl - - gen_require(` - type apertus_ldp_client_packet_t; - ') - - allow $1 apertus_ldp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_apertus_ldp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send apertus_ldp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_apertus_ldp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apertus_ldp_client_packets'($*)) dnl - - gen_require(` - type apertus_ldp_client_packet_t; - ') - - dontaudit $1 apertus_ldp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apertus_ldp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive apertus_ldp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_apertus_ldp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_apertus_ldp_client_packets'($*)) dnl - - gen_require(` - type apertus_ldp_client_packet_t; - ') - - allow $1 apertus_ldp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_apertus_ldp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive apertus_ldp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_apertus_ldp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apertus_ldp_client_packets'($*)) dnl - - gen_require(` - type apertus_ldp_client_packet_t; - ') - - dontaudit $1 apertus_ldp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apertus_ldp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive apertus_ldp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_apertus_ldp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apertus_ldp_client_packets'($*)) dnl - - corenet_send_apertus_ldp_client_packets($1) - corenet_receive_apertus_ldp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apertus_ldp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive apertus_ldp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_apertus_ldp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apertus_ldp_client_packets'($*)) dnl - - corenet_dontaudit_send_apertus_ldp_client_packets($1) - corenet_dontaudit_receive_apertus_ldp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apertus_ldp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to apertus_ldp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_apertus_ldp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apertus_ldp_client_packets'($*)) dnl - - gen_require(` - type apertus_ldp_client_packet_t; - ') - - allow $1 apertus_ldp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_apertus_ldp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send apertus_ldp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_apertus_ldp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_apertus_ldp_server_packets'($*)) dnl - - gen_require(` - type apertus_ldp_server_packet_t; - ') - - allow $1 apertus_ldp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_apertus_ldp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send apertus_ldp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_apertus_ldp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apertus_ldp_server_packets'($*)) dnl - - gen_require(` - type apertus_ldp_server_packet_t; - ') - - dontaudit $1 apertus_ldp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apertus_ldp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive apertus_ldp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_apertus_ldp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_apertus_ldp_server_packets'($*)) dnl - - gen_require(` - type apertus_ldp_server_packet_t; - ') - - allow $1 apertus_ldp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_apertus_ldp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive apertus_ldp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_apertus_ldp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apertus_ldp_server_packets'($*)) dnl - - gen_require(` - type apertus_ldp_server_packet_t; - ') - - dontaudit $1 apertus_ldp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apertus_ldp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive apertus_ldp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_apertus_ldp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apertus_ldp_server_packets'($*)) dnl - - corenet_send_apertus_ldp_server_packets($1) - corenet_receive_apertus_ldp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apertus_ldp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive apertus_ldp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_apertus_ldp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apertus_ldp_server_packets'($*)) dnl - - corenet_dontaudit_send_apertus_ldp_server_packets($1) - corenet_dontaudit_receive_apertus_ldp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apertus_ldp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to apertus_ldp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_apertus_ldp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apertus_ldp_server_packets'($*)) dnl - - gen_require(` - type apertus_ldp_server_packet_t; - ') - - allow $1 apertus_ldp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_apertus_ldp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the armtechdaemon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_armtechdaemon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the armtechdaemon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_armtechdaemon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the armtechdaemon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_armtechdaemon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the armtechdaemon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_armtechdaemon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the armtechdaemon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_armtechdaemon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the armtechdaemon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_armtechdaemon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the armtechdaemon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_armtechdaemon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the armtechdaemon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_armtechdaemon_port'($*)) dnl - - gen_require(` - type armtechdaemon_port_t; - ') - - allow $1 armtechdaemon_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the armtechdaemon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_armtechdaemon_port'($*)) dnl - - gen_require(` - type armtechdaemon_port_t; - ') - - allow $1 armtechdaemon_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_armtechdaemon_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the armtechdaemon port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_armtechdaemon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_armtechdaemon_port'($*)) dnl - - gen_require(` - type armtechdaemon_port_t; - ') - - allow $1 armtechdaemon_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_armtechdaemon_port'($*)) dnl - ') - - - -######################################## -## -## Send armtechdaemon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_armtechdaemon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_armtechdaemon_client_packets'($*)) dnl - - gen_require(` - type armtechdaemon_client_packet_t; - ') - - allow $1 armtechdaemon_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_armtechdaemon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send armtechdaemon_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_armtechdaemon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_armtechdaemon_client_packets'($*)) dnl - - gen_require(` - type armtechdaemon_client_packet_t; - ') - - dontaudit $1 armtechdaemon_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_armtechdaemon_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive armtechdaemon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_armtechdaemon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_armtechdaemon_client_packets'($*)) dnl - - gen_require(` - type armtechdaemon_client_packet_t; - ') - - allow $1 armtechdaemon_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_armtechdaemon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive armtechdaemon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_armtechdaemon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_armtechdaemon_client_packets'($*)) dnl - - gen_require(` - type armtechdaemon_client_packet_t; - ') - - dontaudit $1 armtechdaemon_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_armtechdaemon_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive armtechdaemon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_armtechdaemon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_armtechdaemon_client_packets'($*)) dnl - - corenet_send_armtechdaemon_client_packets($1) - corenet_receive_armtechdaemon_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_armtechdaemon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive armtechdaemon_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_armtechdaemon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_armtechdaemon_client_packets'($*)) dnl - - corenet_dontaudit_send_armtechdaemon_client_packets($1) - corenet_dontaudit_receive_armtechdaemon_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_armtechdaemon_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to armtechdaemon_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_armtechdaemon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_armtechdaemon_client_packets'($*)) dnl - - gen_require(` - type armtechdaemon_client_packet_t; - ') - - allow $1 armtechdaemon_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_armtechdaemon_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send armtechdaemon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_armtechdaemon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_armtechdaemon_server_packets'($*)) dnl - - gen_require(` - type armtechdaemon_server_packet_t; - ') - - allow $1 armtechdaemon_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_armtechdaemon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send armtechdaemon_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_armtechdaemon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_armtechdaemon_server_packets'($*)) dnl - - gen_require(` - type armtechdaemon_server_packet_t; - ') - - dontaudit $1 armtechdaemon_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_armtechdaemon_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive armtechdaemon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_armtechdaemon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_armtechdaemon_server_packets'($*)) dnl - - gen_require(` - type armtechdaemon_server_packet_t; - ') - - allow $1 armtechdaemon_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_armtechdaemon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive armtechdaemon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_armtechdaemon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_armtechdaemon_server_packets'($*)) dnl - - gen_require(` - type armtechdaemon_server_packet_t; - ') - - dontaudit $1 armtechdaemon_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_armtechdaemon_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive armtechdaemon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_armtechdaemon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_armtechdaemon_server_packets'($*)) dnl - - corenet_send_armtechdaemon_server_packets($1) - corenet_receive_armtechdaemon_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_armtechdaemon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive armtechdaemon_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_armtechdaemon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_armtechdaemon_server_packets'($*)) dnl - - corenet_dontaudit_send_armtechdaemon_server_packets($1) - corenet_dontaudit_receive_armtechdaemon_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_armtechdaemon_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to armtechdaemon_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_armtechdaemon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_armtechdaemon_server_packets'($*)) dnl - - gen_require(` - type armtechdaemon_server_packet_t; - ') - - allow $1 armtechdaemon_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_armtechdaemon_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the asterisk port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_asterisk_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the asterisk port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_asterisk_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the asterisk port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_asterisk_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the asterisk port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_asterisk_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the asterisk port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_asterisk_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the asterisk port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_asterisk_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the asterisk port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_asterisk_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the asterisk port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_asterisk_port'($*)) dnl - - gen_require(` - type asterisk_port_t; - ') - - allow $1 asterisk_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the asterisk port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_asterisk_port'($*)) dnl - - gen_require(` - type asterisk_port_t; - ') - - allow $1 asterisk_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_asterisk_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the asterisk port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_asterisk_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_asterisk_port'($*)) dnl - - gen_require(` - type asterisk_port_t; - ') - - allow $1 asterisk_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_asterisk_port'($*)) dnl - ') - - - -######################################## -## -## Send asterisk_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_asterisk_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_asterisk_client_packets'($*)) dnl - - gen_require(` - type asterisk_client_packet_t; - ') - - allow $1 asterisk_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_asterisk_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send asterisk_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_asterisk_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_asterisk_client_packets'($*)) dnl - - gen_require(` - type asterisk_client_packet_t; - ') - - dontaudit $1 asterisk_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_asterisk_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive asterisk_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_asterisk_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_asterisk_client_packets'($*)) dnl - - gen_require(` - type asterisk_client_packet_t; - ') - - allow $1 asterisk_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_asterisk_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive asterisk_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_asterisk_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_asterisk_client_packets'($*)) dnl - - gen_require(` - type asterisk_client_packet_t; - ') - - dontaudit $1 asterisk_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_asterisk_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive asterisk_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_asterisk_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_asterisk_client_packets'($*)) dnl - - corenet_send_asterisk_client_packets($1) - corenet_receive_asterisk_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_asterisk_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive asterisk_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_asterisk_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_asterisk_client_packets'($*)) dnl - - corenet_dontaudit_send_asterisk_client_packets($1) - corenet_dontaudit_receive_asterisk_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_asterisk_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to asterisk_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_asterisk_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_asterisk_client_packets'($*)) dnl - - gen_require(` - type asterisk_client_packet_t; - ') - - allow $1 asterisk_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_asterisk_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send asterisk_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_asterisk_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_asterisk_server_packets'($*)) dnl - - gen_require(` - type asterisk_server_packet_t; - ') - - allow $1 asterisk_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_asterisk_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send asterisk_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_asterisk_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_asterisk_server_packets'($*)) dnl - - gen_require(` - type asterisk_server_packet_t; - ') - - dontaudit $1 asterisk_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_asterisk_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive asterisk_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_asterisk_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_asterisk_server_packets'($*)) dnl - - gen_require(` - type asterisk_server_packet_t; - ') - - allow $1 asterisk_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_asterisk_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive asterisk_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_asterisk_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_asterisk_server_packets'($*)) dnl - - gen_require(` - type asterisk_server_packet_t; - ') - - dontaudit $1 asterisk_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_asterisk_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive asterisk_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_asterisk_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_asterisk_server_packets'($*)) dnl - - corenet_send_asterisk_server_packets($1) - corenet_receive_asterisk_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_asterisk_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive asterisk_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_asterisk_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_asterisk_server_packets'($*)) dnl - - corenet_dontaudit_send_asterisk_server_packets($1) - corenet_dontaudit_receive_asterisk_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_asterisk_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to asterisk_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_asterisk_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_asterisk_server_packets'($*)) dnl - - gen_require(` - type asterisk_server_packet_t; - ') - - allow $1 asterisk_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_asterisk_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the audit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_audit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_audit_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the audit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_audit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_audit_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the audit port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_audit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_audit_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the audit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_audit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_audit_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the audit port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_audit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_audit_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the audit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_audit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_audit_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the audit port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_audit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_audit_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the audit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_audit_port'($*)) dnl - - gen_require(` - type audit_port_t; - ') - - allow $1 audit_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_audit_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the audit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_audit_port'($*)) dnl - - gen_require(` - type audit_port_t; - ') - - allow $1 audit_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_audit_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the audit port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_audit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_audit_port'($*)) dnl - - gen_require(` - type audit_port_t; - ') - - allow $1 audit_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_audit_port'($*)) dnl - ') - - - -######################################## -## -## Send audit_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_audit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_audit_client_packets'($*)) dnl - - gen_require(` - type audit_client_packet_t; - ') - - allow $1 audit_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_audit_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send audit_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_audit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_audit_client_packets'($*)) dnl - - gen_require(` - type audit_client_packet_t; - ') - - dontaudit $1 audit_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_audit_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive audit_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_audit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_audit_client_packets'($*)) dnl - - gen_require(` - type audit_client_packet_t; - ') - - allow $1 audit_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_audit_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive audit_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_audit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_audit_client_packets'($*)) dnl - - gen_require(` - type audit_client_packet_t; - ') - - dontaudit $1 audit_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_audit_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive audit_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_audit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_audit_client_packets'($*)) dnl - - corenet_send_audit_client_packets($1) - corenet_receive_audit_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_audit_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive audit_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_audit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_audit_client_packets'($*)) dnl - - corenet_dontaudit_send_audit_client_packets($1) - corenet_dontaudit_receive_audit_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_audit_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to audit_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_audit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_audit_client_packets'($*)) dnl - - gen_require(` - type audit_client_packet_t; - ') - - allow $1 audit_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_audit_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send audit_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_audit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_audit_server_packets'($*)) dnl - - gen_require(` - type audit_server_packet_t; - ') - - allow $1 audit_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_audit_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send audit_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_audit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_audit_server_packets'($*)) dnl - - gen_require(` - type audit_server_packet_t; - ') - - dontaudit $1 audit_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_audit_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive audit_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_audit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_audit_server_packets'($*)) dnl - - gen_require(` - type audit_server_packet_t; - ') - - allow $1 audit_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_audit_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive audit_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_audit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_audit_server_packets'($*)) dnl - - gen_require(` - type audit_server_packet_t; - ') - - dontaudit $1 audit_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_audit_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive audit_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_audit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_audit_server_packets'($*)) dnl - - corenet_send_audit_server_packets($1) - corenet_receive_audit_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_audit_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive audit_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_audit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_audit_server_packets'($*)) dnl - - corenet_dontaudit_send_audit_server_packets($1) - corenet_dontaudit_receive_audit_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_audit_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to audit_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_audit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_audit_server_packets'($*)) dnl - - gen_require(` - type audit_server_packet_t; - ') - - allow $1 audit_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_audit_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the auth port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_auth_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_auth_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the auth port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_auth_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_auth_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the auth port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_auth_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_auth_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the auth port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_auth_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_auth_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the auth port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_auth_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_auth_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the auth port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_auth_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_auth_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the auth port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_auth_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_auth_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the auth port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_auth_port'($*)) dnl - - gen_require(` - type auth_port_t; - ') - - allow $1 auth_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_auth_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the auth port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_auth_port'($*)) dnl - - gen_require(` - type auth_port_t; - ') - - allow $1 auth_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_auth_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the auth port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_auth_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_auth_port'($*)) dnl - - gen_require(` - type auth_port_t; - ') - - allow $1 auth_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_auth_port'($*)) dnl - ') - - - -######################################## -## -## Send auth_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_auth_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_auth_client_packets'($*)) dnl - - gen_require(` - type auth_client_packet_t; - ') - - allow $1 auth_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_auth_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send auth_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_auth_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_auth_client_packets'($*)) dnl - - gen_require(` - type auth_client_packet_t; - ') - - dontaudit $1 auth_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_auth_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive auth_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_auth_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_auth_client_packets'($*)) dnl - - gen_require(` - type auth_client_packet_t; - ') - - allow $1 auth_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_auth_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive auth_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_auth_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_auth_client_packets'($*)) dnl - - gen_require(` - type auth_client_packet_t; - ') - - dontaudit $1 auth_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_auth_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive auth_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_auth_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_auth_client_packets'($*)) dnl - - corenet_send_auth_client_packets($1) - corenet_receive_auth_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_auth_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive auth_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_auth_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_auth_client_packets'($*)) dnl - - corenet_dontaudit_send_auth_client_packets($1) - corenet_dontaudit_receive_auth_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_auth_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to auth_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_auth_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_auth_client_packets'($*)) dnl - - gen_require(` - type auth_client_packet_t; - ') - - allow $1 auth_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_auth_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send auth_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_auth_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_auth_server_packets'($*)) dnl - - gen_require(` - type auth_server_packet_t; - ') - - allow $1 auth_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_auth_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send auth_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_auth_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_auth_server_packets'($*)) dnl - - gen_require(` - type auth_server_packet_t; - ') - - dontaudit $1 auth_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_auth_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive auth_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_auth_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_auth_server_packets'($*)) dnl - - gen_require(` - type auth_server_packet_t; - ') - - allow $1 auth_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_auth_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive auth_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_auth_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_auth_server_packets'($*)) dnl - - gen_require(` - type auth_server_packet_t; - ') - - dontaudit $1 auth_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_auth_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive auth_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_auth_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_auth_server_packets'($*)) dnl - - corenet_send_auth_server_packets($1) - corenet_receive_auth_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_auth_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive auth_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_auth_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_auth_server_packets'($*)) dnl - - corenet_dontaudit_send_auth_server_packets($1) - corenet_dontaudit_receive_auth_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_auth_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to auth_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_auth_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_auth_server_packets'($*)) dnl - - gen_require(` - type auth_server_packet_t; - ') - - allow $1 auth_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_auth_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the bgp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bgp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bgp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the bgp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bgp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_bgp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the bgp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bgp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bgp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the bgp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bgp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bgp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the bgp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bgp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bgp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the bgp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bgp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bgp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the bgp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bgp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bgp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the bgp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bgp_port'($*)) dnl - - gen_require(` - type bgp_port_t; - ') - - allow $1 bgp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bgp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the bgp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bgp_port'($*)) dnl - - gen_require(` - type bgp_port_t; - ') - - allow $1 bgp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bgp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the bgp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_bgp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bgp_port'($*)) dnl - - gen_require(` - type bgp_port_t; - ') - - allow $1 bgp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bgp_port'($*)) dnl - ') - - - -######################################## -## -## Send bgp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_bgp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_bgp_client_packets'($*)) dnl - - gen_require(` - type bgp_client_packet_t; - ') - - allow $1 bgp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_bgp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send bgp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_bgp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bgp_client_packets'($*)) dnl - - gen_require(` - type bgp_client_packet_t; - ') - - dontaudit $1 bgp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bgp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive bgp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_bgp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_bgp_client_packets'($*)) dnl - - gen_require(` - type bgp_client_packet_t; - ') - - allow $1 bgp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_bgp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive bgp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_bgp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bgp_client_packets'($*)) dnl - - gen_require(` - type bgp_client_packet_t; - ') - - dontaudit $1 bgp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bgp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive bgp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_bgp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bgp_client_packets'($*)) dnl - - corenet_send_bgp_client_packets($1) - corenet_receive_bgp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bgp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive bgp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_bgp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bgp_client_packets'($*)) dnl - - corenet_dontaudit_send_bgp_client_packets($1) - corenet_dontaudit_receive_bgp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bgp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to bgp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_bgp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bgp_client_packets'($*)) dnl - - gen_require(` - type bgp_client_packet_t; - ') - - allow $1 bgp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_bgp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send bgp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_bgp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_bgp_server_packets'($*)) dnl - - gen_require(` - type bgp_server_packet_t; - ') - - allow $1 bgp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_bgp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send bgp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_bgp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bgp_server_packets'($*)) dnl - - gen_require(` - type bgp_server_packet_t; - ') - - dontaudit $1 bgp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bgp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive bgp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_bgp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_bgp_server_packets'($*)) dnl - - gen_require(` - type bgp_server_packet_t; - ') - - allow $1 bgp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_bgp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive bgp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_bgp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bgp_server_packets'($*)) dnl - - gen_require(` - type bgp_server_packet_t; - ') - - dontaudit $1 bgp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bgp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive bgp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_bgp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bgp_server_packets'($*)) dnl - - corenet_send_bgp_server_packets($1) - corenet_receive_bgp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bgp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive bgp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_bgp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bgp_server_packets'($*)) dnl - - corenet_dontaudit_send_bgp_server_packets($1) - corenet_dontaudit_receive_bgp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bgp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to bgp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_bgp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bgp_server_packets'($*)) dnl - - gen_require(` - type bgp_server_packet_t; - ') - - allow $1 bgp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_bgp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the bitcoin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bitcoin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the bitcoin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bitcoin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the bitcoin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bitcoin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the bitcoin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bitcoin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the bitcoin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bitcoin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the bitcoin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bitcoin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the bitcoin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bitcoin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the bitcoin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bitcoin_port'($*)) dnl - - gen_require(` - type bitcoin_port_t; - ') - - allow $1 bitcoin_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the bitcoin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bitcoin_port'($*)) dnl - - gen_require(` - type bitcoin_port_t; - ') - - allow $1 bitcoin_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bitcoin_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the bitcoin port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_bitcoin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bitcoin_port'($*)) dnl - - gen_require(` - type bitcoin_port_t; - ') - - allow $1 bitcoin_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bitcoin_port'($*)) dnl - ') - - - -######################################## -## -## Send bitcoin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_bitcoin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_bitcoin_client_packets'($*)) dnl - - gen_require(` - type bitcoin_client_packet_t; - ') - - allow $1 bitcoin_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_bitcoin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send bitcoin_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_bitcoin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bitcoin_client_packets'($*)) dnl - - gen_require(` - type bitcoin_client_packet_t; - ') - - dontaudit $1 bitcoin_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bitcoin_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive bitcoin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_bitcoin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_bitcoin_client_packets'($*)) dnl - - gen_require(` - type bitcoin_client_packet_t; - ') - - allow $1 bitcoin_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_bitcoin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive bitcoin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_bitcoin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bitcoin_client_packets'($*)) dnl - - gen_require(` - type bitcoin_client_packet_t; - ') - - dontaudit $1 bitcoin_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bitcoin_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive bitcoin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_bitcoin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bitcoin_client_packets'($*)) dnl - - corenet_send_bitcoin_client_packets($1) - corenet_receive_bitcoin_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bitcoin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive bitcoin_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_bitcoin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bitcoin_client_packets'($*)) dnl - - corenet_dontaudit_send_bitcoin_client_packets($1) - corenet_dontaudit_receive_bitcoin_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bitcoin_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to bitcoin_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_bitcoin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bitcoin_client_packets'($*)) dnl - - gen_require(` - type bitcoin_client_packet_t; - ') - - allow $1 bitcoin_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_bitcoin_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send bitcoin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_bitcoin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_bitcoin_server_packets'($*)) dnl - - gen_require(` - type bitcoin_server_packet_t; - ') - - allow $1 bitcoin_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_bitcoin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send bitcoin_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_bitcoin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bitcoin_server_packets'($*)) dnl - - gen_require(` - type bitcoin_server_packet_t; - ') - - dontaudit $1 bitcoin_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bitcoin_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive bitcoin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_bitcoin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_bitcoin_server_packets'($*)) dnl - - gen_require(` - type bitcoin_server_packet_t; - ') - - allow $1 bitcoin_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_bitcoin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive bitcoin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_bitcoin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bitcoin_server_packets'($*)) dnl - - gen_require(` - type bitcoin_server_packet_t; - ') - - dontaudit $1 bitcoin_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bitcoin_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive bitcoin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_bitcoin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bitcoin_server_packets'($*)) dnl - - corenet_send_bitcoin_server_packets($1) - corenet_receive_bitcoin_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bitcoin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive bitcoin_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_bitcoin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bitcoin_server_packets'($*)) dnl - - corenet_dontaudit_send_bitcoin_server_packets($1) - corenet_dontaudit_receive_bitcoin_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bitcoin_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to bitcoin_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_bitcoin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bitcoin_server_packets'($*)) dnl - - gen_require(` - type bitcoin_server_packet_t; - ') - - allow $1 bitcoin_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_bitcoin_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the boinc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_boinc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_boinc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the boinc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_boinc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_boinc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the boinc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_boinc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_boinc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the boinc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_boinc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_boinc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the boinc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_boinc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_boinc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the boinc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_boinc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_boinc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the boinc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_boinc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_boinc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the boinc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_boinc_port'($*)) dnl - - gen_require(` - type boinc_port_t; - ') - - allow $1 boinc_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_boinc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the boinc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_boinc_port'($*)) dnl - - gen_require(` - type boinc_port_t; - ') - - allow $1 boinc_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_boinc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the boinc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_boinc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_boinc_port'($*)) dnl - - gen_require(` - type boinc_port_t; - ') - - allow $1 boinc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_boinc_port'($*)) dnl - ') - - - -######################################## -## -## Send boinc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_boinc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_packets'($*)) dnl - - gen_require(` - type boinc_client_packet_t; - ') - - allow $1 boinc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send boinc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_boinc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_packets'($*)) dnl - - gen_require(` - type boinc_client_packet_t; - ') - - dontaudit $1 boinc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive boinc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_boinc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_packets'($*)) dnl - - gen_require(` - type boinc_client_packet_t; - ') - - allow $1 boinc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive boinc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_boinc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_packets'($*)) dnl - - gen_require(` - type boinc_client_packet_t; - ') - - dontaudit $1 boinc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive boinc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_boinc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_packets'($*)) dnl - - corenet_send_boinc_client_packets($1) - corenet_receive_boinc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive boinc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_boinc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_packets'($*)) dnl - - corenet_dontaudit_send_boinc_client_packets($1) - corenet_dontaudit_receive_boinc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to boinc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_boinc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_packets'($*)) dnl - - gen_require(` - type boinc_client_packet_t; - ') - - allow $1 boinc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send boinc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_boinc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_server_packets'($*)) dnl - - gen_require(` - type boinc_server_packet_t; - ') - - allow $1 boinc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_boinc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send boinc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_boinc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_server_packets'($*)) dnl - - gen_require(` - type boinc_server_packet_t; - ') - - dontaudit $1 boinc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive boinc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_boinc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_server_packets'($*)) dnl - - gen_require(` - type boinc_server_packet_t; - ') - - allow $1 boinc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive boinc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_boinc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_server_packets'($*)) dnl - - gen_require(` - type boinc_server_packet_t; - ') - - dontaudit $1 boinc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive boinc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_boinc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_server_packets'($*)) dnl - - corenet_send_boinc_server_packets($1) - corenet_receive_boinc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive boinc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_boinc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_server_packets'($*)) dnl - - corenet_dontaudit_send_boinc_server_packets($1) - corenet_dontaudit_receive_boinc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to boinc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_boinc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_server_packets'($*)) dnl - - gen_require(` - type boinc_server_packet_t; - ') - - allow $1 boinc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the boinc_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_boinc_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the boinc_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_boinc_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the boinc_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_boinc_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the boinc_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_boinc_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the boinc_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_boinc_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the boinc_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_boinc_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the boinc_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_boinc_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the boinc_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_boinc_client_port'($*)) dnl - - gen_require(` - type boinc_client_port_t; - ') - - allow $1 boinc_client_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the boinc_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_boinc_client_port'($*)) dnl - - gen_require(` - type boinc_client_port_t; - ') - - allow $1 boinc_client_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_boinc_client_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the boinc_client port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_boinc_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_boinc_client_port'($*)) dnl - - gen_require(` - type boinc_client_port_t; - ') - - allow $1 boinc_client_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_boinc_client_port'($*)) dnl - ') - - - -######################################## -## -## Send boinc_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_boinc_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_client_packets'($*)) dnl - - gen_require(` - type boinc_client_client_packet_t; - ') - - allow $1 boinc_client_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send boinc_client_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_boinc_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_client_packets'($*)) dnl - - gen_require(` - type boinc_client_client_packet_t; - ') - - dontaudit $1 boinc_client_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive boinc_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_boinc_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_client_packets'($*)) dnl - - gen_require(` - type boinc_client_client_packet_t; - ') - - allow $1 boinc_client_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive boinc_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_boinc_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_client_packets'($*)) dnl - - gen_require(` - type boinc_client_client_packet_t; - ') - - dontaudit $1 boinc_client_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive boinc_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_boinc_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_client_packets'($*)) dnl - - corenet_send_boinc_client_client_packets($1) - corenet_receive_boinc_client_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive boinc_client_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_boinc_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_client_packets'($*)) dnl - - corenet_dontaudit_send_boinc_client_client_packets($1) - corenet_dontaudit_receive_boinc_client_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to boinc_client_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_boinc_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_client_packets'($*)) dnl - - gen_require(` - type boinc_client_client_packet_t; - ') - - allow $1 boinc_client_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send boinc_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_boinc_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_server_packets'($*)) dnl - - gen_require(` - type boinc_client_server_packet_t; - ') - - allow $1 boinc_client_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send boinc_client_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_boinc_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_server_packets'($*)) dnl - - gen_require(` - type boinc_client_server_packet_t; - ') - - dontaudit $1 boinc_client_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive boinc_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_boinc_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_server_packets'($*)) dnl - - gen_require(` - type boinc_client_server_packet_t; - ') - - allow $1 boinc_client_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive boinc_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_boinc_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_server_packets'($*)) dnl - - gen_require(` - type boinc_client_server_packet_t; - ') - - dontaudit $1 boinc_client_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive boinc_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_boinc_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_server_packets'($*)) dnl - - corenet_send_boinc_client_server_packets($1) - corenet_receive_boinc_client_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive boinc_client_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_boinc_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_server_packets'($*)) dnl - - corenet_dontaudit_send_boinc_client_server_packets($1) - corenet_dontaudit_receive_boinc_client_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to boinc_client_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_boinc_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_server_packets'($*)) dnl - - gen_require(` - type boinc_client_server_packet_t; - ') - - allow $1 boinc_client_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the biff port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_biff_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_biff_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the biff port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_biff_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_biff_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the biff port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_biff_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_biff_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the biff port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_biff_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_biff_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the biff port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_biff_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_biff_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the biff port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_biff_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_biff_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the biff port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_biff_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_biff_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the biff port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_biff_port'($*)) dnl - - gen_require(` - type biff_port_t; - ') - - allow $1 biff_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_biff_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the biff port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_biff_port'($*)) dnl - - gen_require(` - type biff_port_t; - ') - - allow $1 biff_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_biff_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the biff port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_biff_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_biff_port'($*)) dnl - - gen_require(` - type biff_port_t; - ') - - allow $1 biff_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_biff_port'($*)) dnl - ') - - - -######################################## -## -## Send biff_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_biff_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_biff_client_packets'($*)) dnl - - gen_require(` - type biff_client_packet_t; - ') - - allow $1 biff_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_biff_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send biff_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_biff_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_biff_client_packets'($*)) dnl - - gen_require(` - type biff_client_packet_t; - ') - - dontaudit $1 biff_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_biff_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive biff_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_biff_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_biff_client_packets'($*)) dnl - - gen_require(` - type biff_client_packet_t; - ') - - allow $1 biff_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_biff_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive biff_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_biff_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_biff_client_packets'($*)) dnl - - gen_require(` - type biff_client_packet_t; - ') - - dontaudit $1 biff_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_biff_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive biff_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_biff_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_biff_client_packets'($*)) dnl - - corenet_send_biff_client_packets($1) - corenet_receive_biff_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_biff_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive biff_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_biff_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_biff_client_packets'($*)) dnl - - corenet_dontaudit_send_biff_client_packets($1) - corenet_dontaudit_receive_biff_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_biff_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to biff_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_biff_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_biff_client_packets'($*)) dnl - - gen_require(` - type biff_client_packet_t; - ') - - allow $1 biff_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_biff_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send biff_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_biff_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_biff_server_packets'($*)) dnl - - gen_require(` - type biff_server_packet_t; - ') - - allow $1 biff_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_biff_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send biff_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_biff_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_biff_server_packets'($*)) dnl - - gen_require(` - type biff_server_packet_t; - ') - - dontaudit $1 biff_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_biff_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive biff_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_biff_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_biff_server_packets'($*)) dnl - - gen_require(` - type biff_server_packet_t; - ') - - allow $1 biff_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_biff_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive biff_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_biff_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_biff_server_packets'($*)) dnl - - gen_require(` - type biff_server_packet_t; - ') - - dontaudit $1 biff_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_biff_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive biff_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_biff_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_biff_server_packets'($*)) dnl - - corenet_send_biff_server_packets($1) - corenet_receive_biff_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_biff_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive biff_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_biff_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_biff_server_packets'($*)) dnl - - corenet_dontaudit_send_biff_server_packets($1) - corenet_dontaudit_receive_biff_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_biff_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to biff_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_biff_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_biff_server_packets'($*)) dnl - - gen_require(` - type biff_server_packet_t; - ') - - allow $1 biff_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_biff_server_packets'($*)) dnl - ') - - - # no defined portcon - - -######################################## -## -## Send and receive TCP traffic on the certmaster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_certmaster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the certmaster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_certmaster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the certmaster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_certmaster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the certmaster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_certmaster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the certmaster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_certmaster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the certmaster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_certmaster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the certmaster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_certmaster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the certmaster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_certmaster_port'($*)) dnl - - gen_require(` - type certmaster_port_t; - ') - - allow $1 certmaster_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the certmaster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_certmaster_port'($*)) dnl - - gen_require(` - type certmaster_port_t; - ') - - allow $1 certmaster_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_certmaster_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the certmaster port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_certmaster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_certmaster_port'($*)) dnl - - gen_require(` - type certmaster_port_t; - ') - - allow $1 certmaster_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_certmaster_port'($*)) dnl - ') - - - -######################################## -## -## Send certmaster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_certmaster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_certmaster_client_packets'($*)) dnl - - gen_require(` - type certmaster_client_packet_t; - ') - - allow $1 certmaster_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_certmaster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send certmaster_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_certmaster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_certmaster_client_packets'($*)) dnl - - gen_require(` - type certmaster_client_packet_t; - ') - - dontaudit $1 certmaster_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_certmaster_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive certmaster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_certmaster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_certmaster_client_packets'($*)) dnl - - gen_require(` - type certmaster_client_packet_t; - ') - - allow $1 certmaster_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_certmaster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive certmaster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_certmaster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_certmaster_client_packets'($*)) dnl - - gen_require(` - type certmaster_client_packet_t; - ') - - dontaudit $1 certmaster_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_certmaster_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive certmaster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_certmaster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_certmaster_client_packets'($*)) dnl - - corenet_send_certmaster_client_packets($1) - corenet_receive_certmaster_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_certmaster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive certmaster_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_certmaster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_certmaster_client_packets'($*)) dnl - - corenet_dontaudit_send_certmaster_client_packets($1) - corenet_dontaudit_receive_certmaster_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_certmaster_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to certmaster_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_certmaster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_certmaster_client_packets'($*)) dnl - - gen_require(` - type certmaster_client_packet_t; - ') - - allow $1 certmaster_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_certmaster_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send certmaster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_certmaster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_certmaster_server_packets'($*)) dnl - - gen_require(` - type certmaster_server_packet_t; - ') - - allow $1 certmaster_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_certmaster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send certmaster_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_certmaster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_certmaster_server_packets'($*)) dnl - - gen_require(` - type certmaster_server_packet_t; - ') - - dontaudit $1 certmaster_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_certmaster_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive certmaster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_certmaster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_certmaster_server_packets'($*)) dnl - - gen_require(` - type certmaster_server_packet_t; - ') - - allow $1 certmaster_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_certmaster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive certmaster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_certmaster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_certmaster_server_packets'($*)) dnl - - gen_require(` - type certmaster_server_packet_t; - ') - - dontaudit $1 certmaster_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_certmaster_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive certmaster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_certmaster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_certmaster_server_packets'($*)) dnl - - corenet_send_certmaster_server_packets($1) - corenet_receive_certmaster_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_certmaster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive certmaster_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_certmaster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_certmaster_server_packets'($*)) dnl - - corenet_dontaudit_send_certmaster_server_packets($1) - corenet_dontaudit_receive_certmaster_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_certmaster_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to certmaster_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_certmaster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_certmaster_server_packets'($*)) dnl - - gen_require(` - type certmaster_server_packet_t; - ') - - allow $1 certmaster_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_certmaster_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the chronyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_chronyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the chronyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_chronyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the chronyd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_chronyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the chronyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_chronyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the chronyd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_chronyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the chronyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_chronyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the chronyd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_chronyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the chronyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_chronyd_port'($*)) dnl - - gen_require(` - type chronyd_port_t; - ') - - allow $1 chronyd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the chronyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_chronyd_port'($*)) dnl - - gen_require(` - type chronyd_port_t; - ') - - allow $1 chronyd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_chronyd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the chronyd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_chronyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_chronyd_port'($*)) dnl - - gen_require(` - type chronyd_port_t; - ') - - allow $1 chronyd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_chronyd_port'($*)) dnl - ') - - - -######################################## -## -## Send chronyd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_chronyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_chronyd_client_packets'($*)) dnl - - gen_require(` - type chronyd_client_packet_t; - ') - - allow $1 chronyd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_chronyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send chronyd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_chronyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_chronyd_client_packets'($*)) dnl - - gen_require(` - type chronyd_client_packet_t; - ') - - dontaudit $1 chronyd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_chronyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive chronyd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_chronyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_chronyd_client_packets'($*)) dnl - - gen_require(` - type chronyd_client_packet_t; - ') - - allow $1 chronyd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_chronyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive chronyd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_chronyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_chronyd_client_packets'($*)) dnl - - gen_require(` - type chronyd_client_packet_t; - ') - - dontaudit $1 chronyd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_chronyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive chronyd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_chronyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_chronyd_client_packets'($*)) dnl - - corenet_send_chronyd_client_packets($1) - corenet_receive_chronyd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_chronyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive chronyd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_chronyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_chronyd_client_packets'($*)) dnl - - corenet_dontaudit_send_chronyd_client_packets($1) - corenet_dontaudit_receive_chronyd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_chronyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to chronyd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_chronyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_chronyd_client_packets'($*)) dnl - - gen_require(` - type chronyd_client_packet_t; - ') - - allow $1 chronyd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_chronyd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send chronyd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_chronyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_chronyd_server_packets'($*)) dnl - - gen_require(` - type chronyd_server_packet_t; - ') - - allow $1 chronyd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_chronyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send chronyd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_chronyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_chronyd_server_packets'($*)) dnl - - gen_require(` - type chronyd_server_packet_t; - ') - - dontaudit $1 chronyd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_chronyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive chronyd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_chronyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_chronyd_server_packets'($*)) dnl - - gen_require(` - type chronyd_server_packet_t; - ') - - allow $1 chronyd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_chronyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive chronyd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_chronyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_chronyd_server_packets'($*)) dnl - - gen_require(` - type chronyd_server_packet_t; - ') - - dontaudit $1 chronyd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_chronyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive chronyd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_chronyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_chronyd_server_packets'($*)) dnl - - corenet_send_chronyd_server_packets($1) - corenet_receive_chronyd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_chronyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive chronyd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_chronyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_chronyd_server_packets'($*)) dnl - - corenet_dontaudit_send_chronyd_server_packets($1) - corenet_dontaudit_receive_chronyd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_chronyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to chronyd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_chronyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_chronyd_server_packets'($*)) dnl - - gen_require(` - type chronyd_server_packet_t; - ') - - allow $1 chronyd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_chronyd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the clamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_clamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_clamd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the clamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_clamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_clamd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the clamd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_clamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_clamd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the clamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_clamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_clamd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the clamd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_clamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_clamd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the clamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_clamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_clamd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the clamd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_clamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_clamd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the clamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_clamd_port'($*)) dnl - - gen_require(` - type clamd_port_t; - ') - - allow $1 clamd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_clamd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the clamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_clamd_port'($*)) dnl - - gen_require(` - type clamd_port_t; - ') - - allow $1 clamd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_clamd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the clamd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_clamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_clamd_port'($*)) dnl - - gen_require(` - type clamd_port_t; - ') - - allow $1 clamd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_clamd_port'($*)) dnl - ') - - - -######################################## -## -## Send clamd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_clamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_clamd_client_packets'($*)) dnl - - gen_require(` - type clamd_client_packet_t; - ') - - allow $1 clamd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_clamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send clamd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_clamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clamd_client_packets'($*)) dnl - - gen_require(` - type clamd_client_packet_t; - ') - - dontaudit $1 clamd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive clamd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_clamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_clamd_client_packets'($*)) dnl - - gen_require(` - type clamd_client_packet_t; - ') - - allow $1 clamd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_clamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive clamd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_clamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clamd_client_packets'($*)) dnl - - gen_require(` - type clamd_client_packet_t; - ') - - dontaudit $1 clamd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive clamd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_clamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clamd_client_packets'($*)) dnl - - corenet_send_clamd_client_packets($1) - corenet_receive_clamd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive clamd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_clamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clamd_client_packets'($*)) dnl - - corenet_dontaudit_send_clamd_client_packets($1) - corenet_dontaudit_receive_clamd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to clamd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_clamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clamd_client_packets'($*)) dnl - - gen_require(` - type clamd_client_packet_t; - ') - - allow $1 clamd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_clamd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send clamd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_clamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_clamd_server_packets'($*)) dnl - - gen_require(` - type clamd_server_packet_t; - ') - - allow $1 clamd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_clamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send clamd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_clamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clamd_server_packets'($*)) dnl - - gen_require(` - type clamd_server_packet_t; - ') - - dontaudit $1 clamd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive clamd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_clamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_clamd_server_packets'($*)) dnl - - gen_require(` - type clamd_server_packet_t; - ') - - allow $1 clamd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_clamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive clamd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_clamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clamd_server_packets'($*)) dnl - - gen_require(` - type clamd_server_packet_t; - ') - - dontaudit $1 clamd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive clamd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_clamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clamd_server_packets'($*)) dnl - - corenet_send_clamd_server_packets($1) - corenet_receive_clamd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive clamd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_clamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clamd_server_packets'($*)) dnl - - corenet_dontaudit_send_clamd_server_packets($1) - corenet_dontaudit_receive_clamd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to clamd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_clamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clamd_server_packets'($*)) dnl - - gen_require(` - type clamd_server_packet_t; - ') - - allow $1 clamd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_clamd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the clockspeed port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_clockspeed_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the clockspeed port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_clockspeed_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the clockspeed port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_clockspeed_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the clockspeed port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_clockspeed_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the clockspeed port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_clockspeed_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the clockspeed port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_clockspeed_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the clockspeed port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_clockspeed_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the clockspeed port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_clockspeed_port'($*)) dnl - - gen_require(` - type clockspeed_port_t; - ') - - allow $1 clockspeed_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the clockspeed port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_clockspeed_port'($*)) dnl - - gen_require(` - type clockspeed_port_t; - ') - - allow $1 clockspeed_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_clockspeed_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the clockspeed port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_clockspeed_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_clockspeed_port'($*)) dnl - - gen_require(` - type clockspeed_port_t; - ') - - allow $1 clockspeed_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_clockspeed_port'($*)) dnl - ') - - - -######################################## -## -## Send clockspeed_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_clockspeed_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_clockspeed_client_packets'($*)) dnl - - gen_require(` - type clockspeed_client_packet_t; - ') - - allow $1 clockspeed_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_clockspeed_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send clockspeed_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_clockspeed_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clockspeed_client_packets'($*)) dnl - - gen_require(` - type clockspeed_client_packet_t; - ') - - dontaudit $1 clockspeed_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clockspeed_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive clockspeed_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_clockspeed_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_clockspeed_client_packets'($*)) dnl - - gen_require(` - type clockspeed_client_packet_t; - ') - - allow $1 clockspeed_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_clockspeed_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive clockspeed_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_clockspeed_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clockspeed_client_packets'($*)) dnl - - gen_require(` - type clockspeed_client_packet_t; - ') - - dontaudit $1 clockspeed_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clockspeed_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive clockspeed_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_clockspeed_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clockspeed_client_packets'($*)) dnl - - corenet_send_clockspeed_client_packets($1) - corenet_receive_clockspeed_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clockspeed_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive clockspeed_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_clockspeed_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clockspeed_client_packets'($*)) dnl - - corenet_dontaudit_send_clockspeed_client_packets($1) - corenet_dontaudit_receive_clockspeed_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clockspeed_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to clockspeed_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_clockspeed_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clockspeed_client_packets'($*)) dnl - - gen_require(` - type clockspeed_client_packet_t; - ') - - allow $1 clockspeed_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_clockspeed_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send clockspeed_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_clockspeed_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_clockspeed_server_packets'($*)) dnl - - gen_require(` - type clockspeed_server_packet_t; - ') - - allow $1 clockspeed_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_clockspeed_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send clockspeed_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_clockspeed_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clockspeed_server_packets'($*)) dnl - - gen_require(` - type clockspeed_server_packet_t; - ') - - dontaudit $1 clockspeed_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clockspeed_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive clockspeed_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_clockspeed_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_clockspeed_server_packets'($*)) dnl - - gen_require(` - type clockspeed_server_packet_t; - ') - - allow $1 clockspeed_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_clockspeed_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive clockspeed_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_clockspeed_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clockspeed_server_packets'($*)) dnl - - gen_require(` - type clockspeed_server_packet_t; - ') - - dontaudit $1 clockspeed_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clockspeed_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive clockspeed_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_clockspeed_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clockspeed_server_packets'($*)) dnl - - corenet_send_clockspeed_server_packets($1) - corenet_receive_clockspeed_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clockspeed_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive clockspeed_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_clockspeed_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clockspeed_server_packets'($*)) dnl - - corenet_dontaudit_send_clockspeed_server_packets($1) - corenet_dontaudit_receive_clockspeed_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clockspeed_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to clockspeed_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_clockspeed_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clockspeed_server_packets'($*)) dnl - - gen_require(` - type clockspeed_server_packet_t; - ') - - allow $1 clockspeed_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_clockspeed_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the cluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cluster_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the cluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_cluster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the cluster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cluster_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the cluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cluster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the cluster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cluster_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the cluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cluster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the cluster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cluster_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the cluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cluster_port'($*)) dnl - - gen_require(` - type cluster_port_t; - ') - - allow $1 cluster_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cluster_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the cluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cluster_port'($*)) dnl - - gen_require(` - type cluster_port_t; - ') - - allow $1 cluster_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cluster_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the cluster port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_cluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cluster_port'($*)) dnl - - gen_require(` - type cluster_port_t; - ') - - allow $1 cluster_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cluster_port'($*)) dnl - ') - - - -######################################## -## -## Send cluster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cluster_client_packets'($*)) dnl - - gen_require(` - type cluster_client_packet_t; - ') - - allow $1 cluster_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cluster_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cluster_client_packets'($*)) dnl - - gen_require(` - type cluster_client_packet_t; - ') - - dontaudit $1 cluster_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive cluster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cluster_client_packets'($*)) dnl - - gen_require(` - type cluster_client_packet_t; - ') - - allow $1 cluster_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cluster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cluster_client_packets'($*)) dnl - - gen_require(` - type cluster_client_packet_t; - ') - - dontaudit $1 cluster_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cluster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cluster_client_packets'($*)) dnl - - corenet_send_cluster_client_packets($1) - corenet_receive_cluster_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cluster_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cluster_client_packets'($*)) dnl - - corenet_dontaudit_send_cluster_client_packets($1) - corenet_dontaudit_receive_cluster_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cluster_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cluster_client_packets'($*)) dnl - - gen_require(` - type cluster_client_packet_t; - ') - - allow $1 cluster_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cluster_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send cluster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cluster_server_packets'($*)) dnl - - gen_require(` - type cluster_server_packet_t; - ') - - allow $1 cluster_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cluster_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cluster_server_packets'($*)) dnl - - gen_require(` - type cluster_server_packet_t; - ') - - dontaudit $1 cluster_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive cluster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cluster_server_packets'($*)) dnl - - gen_require(` - type cluster_server_packet_t; - ') - - allow $1 cluster_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cluster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cluster_server_packets'($*)) dnl - - gen_require(` - type cluster_server_packet_t; - ') - - dontaudit $1 cluster_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cluster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cluster_server_packets'($*)) dnl - - corenet_send_cluster_server_packets($1) - corenet_receive_cluster_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cluster_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cluster_server_packets'($*)) dnl - - corenet_dontaudit_send_cluster_server_packets($1) - corenet_dontaudit_receive_cluster_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cluster_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cluster_server_packets'($*)) dnl - - gen_require(` - type cluster_server_packet_t; - ') - - allow $1 cluster_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cluster_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the cma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cma_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the cma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_cma_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the cma port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cma_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the cma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cma_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the cma port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cma_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the cma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cma_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the cma port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cma_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the cma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cma_port'($*)) dnl - - gen_require(` - type cma_port_t; - ') - - allow $1 cma_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cma_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the cma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cma_port'($*)) dnl - - gen_require(` - type cma_port_t; - ') - - allow $1 cma_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cma_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the cma port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_cma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cma_port'($*)) dnl - - gen_require(` - type cma_port_t; - ') - - allow $1 cma_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cma_port'($*)) dnl - ') - - - -######################################## -## -## Send cma_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cma_client_packets'($*)) dnl - - gen_require(` - type cma_client_packet_t; - ') - - allow $1 cma_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cma_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cma_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cma_client_packets'($*)) dnl - - gen_require(` - type cma_client_packet_t; - ') - - dontaudit $1 cma_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cma_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive cma_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cma_client_packets'($*)) dnl - - gen_require(` - type cma_client_packet_t; - ') - - allow $1 cma_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cma_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cma_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cma_client_packets'($*)) dnl - - gen_require(` - type cma_client_packet_t; - ') - - dontaudit $1 cma_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cma_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cma_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cma_client_packets'($*)) dnl - - corenet_send_cma_client_packets($1) - corenet_receive_cma_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cma_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cma_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cma_client_packets'($*)) dnl - - corenet_dontaudit_send_cma_client_packets($1) - corenet_dontaudit_receive_cma_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cma_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cma_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cma_client_packets'($*)) dnl - - gen_require(` - type cma_client_packet_t; - ') - - allow $1 cma_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cma_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send cma_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cma_server_packets'($*)) dnl - - gen_require(` - type cma_server_packet_t; - ') - - allow $1 cma_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cma_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cma_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cma_server_packets'($*)) dnl - - gen_require(` - type cma_server_packet_t; - ') - - dontaudit $1 cma_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cma_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive cma_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cma_server_packets'($*)) dnl - - gen_require(` - type cma_server_packet_t; - ') - - allow $1 cma_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cma_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cma_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cma_server_packets'($*)) dnl - - gen_require(` - type cma_server_packet_t; - ') - - dontaudit $1 cma_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cma_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cma_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cma_server_packets'($*)) dnl - - corenet_send_cma_server_packets($1) - corenet_receive_cma_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cma_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cma_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cma_server_packets'($*)) dnl - - corenet_dontaudit_send_cma_server_packets($1) - corenet_dontaudit_receive_cma_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cma_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cma_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cma_server_packets'($*)) dnl - - gen_require(` - type cma_server_packet_t; - ') - - allow $1 cma_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cma_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the cobbler port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cobbler_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the cobbler port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cobbler_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the cobbler port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cobbler_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the cobbler port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cobbler_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the cobbler port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cobbler_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the cobbler port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cobbler_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the cobbler port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cobbler_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the cobbler port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cobbler_port'($*)) dnl - - gen_require(` - type cobbler_port_t; - ') - - allow $1 cobbler_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the cobbler port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cobbler_port'($*)) dnl - - gen_require(` - type cobbler_port_t; - ') - - allow $1 cobbler_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cobbler_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the cobbler port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_cobbler_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cobbler_port'($*)) dnl - - gen_require(` - type cobbler_port_t; - ') - - allow $1 cobbler_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cobbler_port'($*)) dnl - ') - - - -######################################## -## -## Send cobbler_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cobbler_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cobbler_client_packets'($*)) dnl - - gen_require(` - type cobbler_client_packet_t; - ') - - allow $1 cobbler_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cobbler_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cobbler_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cobbler_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cobbler_client_packets'($*)) dnl - - gen_require(` - type cobbler_client_packet_t; - ') - - dontaudit $1 cobbler_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cobbler_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive cobbler_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cobbler_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cobbler_client_packets'($*)) dnl - - gen_require(` - type cobbler_client_packet_t; - ') - - allow $1 cobbler_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cobbler_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cobbler_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cobbler_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cobbler_client_packets'($*)) dnl - - gen_require(` - type cobbler_client_packet_t; - ') - - dontaudit $1 cobbler_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cobbler_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cobbler_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cobbler_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cobbler_client_packets'($*)) dnl - - corenet_send_cobbler_client_packets($1) - corenet_receive_cobbler_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cobbler_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cobbler_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cobbler_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cobbler_client_packets'($*)) dnl - - corenet_dontaudit_send_cobbler_client_packets($1) - corenet_dontaudit_receive_cobbler_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cobbler_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cobbler_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cobbler_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cobbler_client_packets'($*)) dnl - - gen_require(` - type cobbler_client_packet_t; - ') - - allow $1 cobbler_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cobbler_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send cobbler_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cobbler_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cobbler_server_packets'($*)) dnl - - gen_require(` - type cobbler_server_packet_t; - ') - - allow $1 cobbler_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cobbler_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cobbler_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cobbler_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cobbler_server_packets'($*)) dnl - - gen_require(` - type cobbler_server_packet_t; - ') - - dontaudit $1 cobbler_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cobbler_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive cobbler_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cobbler_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cobbler_server_packets'($*)) dnl - - gen_require(` - type cobbler_server_packet_t; - ') - - allow $1 cobbler_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cobbler_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cobbler_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cobbler_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cobbler_server_packets'($*)) dnl - - gen_require(` - type cobbler_server_packet_t; - ') - - dontaudit $1 cobbler_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cobbler_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cobbler_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cobbler_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cobbler_server_packets'($*)) dnl - - corenet_send_cobbler_server_packets($1) - corenet_receive_cobbler_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cobbler_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cobbler_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cobbler_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cobbler_server_packets'($*)) dnl - - corenet_dontaudit_send_cobbler_server_packets($1) - corenet_dontaudit_receive_cobbler_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cobbler_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cobbler_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cobbler_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cobbler_server_packets'($*)) dnl - - gen_require(` - type cobbler_server_packet_t; - ') - - allow $1 cobbler_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cobbler_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the commplex_link port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_commplex_link_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the commplex_link port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_commplex_link_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the commplex_link port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_commplex_link_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the commplex_link port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_commplex_link_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the commplex_link port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_commplex_link_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the commplex_link port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_commplex_link_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the commplex_link port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_commplex_link_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the commplex_link port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_commplex_link_port'($*)) dnl - - gen_require(` - type commplex_link_port_t; - ') - - allow $1 commplex_link_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the commplex_link port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_commplex_link_port'($*)) dnl - - gen_require(` - type commplex_link_port_t; - ') - - allow $1 commplex_link_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_commplex_link_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the commplex_link port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_commplex_link_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_commplex_link_port'($*)) dnl - - gen_require(` - type commplex_link_port_t; - ') - - allow $1 commplex_link_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_commplex_link_port'($*)) dnl - ') - - - -######################################## -## -## Send commplex_link_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_commplex_link_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_link_client_packets'($*)) dnl - - gen_require(` - type commplex_link_client_packet_t; - ') - - allow $1 commplex_link_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_commplex_link_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send commplex_link_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_commplex_link_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_link_client_packets'($*)) dnl - - gen_require(` - type commplex_link_client_packet_t; - ') - - dontaudit $1 commplex_link_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_link_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive commplex_link_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_commplex_link_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_link_client_packets'($*)) dnl - - gen_require(` - type commplex_link_client_packet_t; - ') - - allow $1 commplex_link_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_link_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive commplex_link_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_commplex_link_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_link_client_packets'($*)) dnl - - gen_require(` - type commplex_link_client_packet_t; - ') - - dontaudit $1 commplex_link_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_link_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive commplex_link_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_commplex_link_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_link_client_packets'($*)) dnl - - corenet_send_commplex_link_client_packets($1) - corenet_receive_commplex_link_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_link_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive commplex_link_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_commplex_link_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_link_client_packets'($*)) dnl - - corenet_dontaudit_send_commplex_link_client_packets($1) - corenet_dontaudit_receive_commplex_link_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_link_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to commplex_link_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_commplex_link_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_link_client_packets'($*)) dnl - - gen_require(` - type commplex_link_client_packet_t; - ') - - allow $1 commplex_link_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_link_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send commplex_link_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_commplex_link_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_link_server_packets'($*)) dnl - - gen_require(` - type commplex_link_server_packet_t; - ') - - allow $1 commplex_link_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_commplex_link_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send commplex_link_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_commplex_link_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_link_server_packets'($*)) dnl - - gen_require(` - type commplex_link_server_packet_t; - ') - - dontaudit $1 commplex_link_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_link_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive commplex_link_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_commplex_link_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_link_server_packets'($*)) dnl - - gen_require(` - type commplex_link_server_packet_t; - ') - - allow $1 commplex_link_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_link_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive commplex_link_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_commplex_link_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_link_server_packets'($*)) dnl - - gen_require(` - type commplex_link_server_packet_t; - ') - - dontaudit $1 commplex_link_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_link_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive commplex_link_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_commplex_link_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_link_server_packets'($*)) dnl - - corenet_send_commplex_link_server_packets($1) - corenet_receive_commplex_link_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_link_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive commplex_link_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_commplex_link_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_link_server_packets'($*)) dnl - - corenet_dontaudit_send_commplex_link_server_packets($1) - corenet_dontaudit_receive_commplex_link_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_link_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to commplex_link_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_commplex_link_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_link_server_packets'($*)) dnl - - gen_require(` - type commplex_link_server_packet_t; - ') - - allow $1 commplex_link_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_link_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the commplex_main port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_commplex_main_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the commplex_main port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_commplex_main_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the commplex_main port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_commplex_main_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the commplex_main port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_commplex_main_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the commplex_main port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_commplex_main_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the commplex_main port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_commplex_main_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the commplex_main port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_commplex_main_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the commplex_main port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_commplex_main_port'($*)) dnl - - gen_require(` - type commplex_main_port_t; - ') - - allow $1 commplex_main_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the commplex_main port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_commplex_main_port'($*)) dnl - - gen_require(` - type commplex_main_port_t; - ') - - allow $1 commplex_main_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_commplex_main_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the commplex_main port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_commplex_main_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_commplex_main_port'($*)) dnl - - gen_require(` - type commplex_main_port_t; - ') - - allow $1 commplex_main_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_commplex_main_port'($*)) dnl - ') - - - -######################################## -## -## Send commplex_main_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_commplex_main_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_main_client_packets'($*)) dnl - - gen_require(` - type commplex_main_client_packet_t; - ') - - allow $1 commplex_main_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_commplex_main_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send commplex_main_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_commplex_main_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_main_client_packets'($*)) dnl - - gen_require(` - type commplex_main_client_packet_t; - ') - - dontaudit $1 commplex_main_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_main_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive commplex_main_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_commplex_main_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_main_client_packets'($*)) dnl - - gen_require(` - type commplex_main_client_packet_t; - ') - - allow $1 commplex_main_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_main_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive commplex_main_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_commplex_main_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_main_client_packets'($*)) dnl - - gen_require(` - type commplex_main_client_packet_t; - ') - - dontaudit $1 commplex_main_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_main_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive commplex_main_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_commplex_main_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_main_client_packets'($*)) dnl - - corenet_send_commplex_main_client_packets($1) - corenet_receive_commplex_main_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_main_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive commplex_main_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_commplex_main_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_main_client_packets'($*)) dnl - - corenet_dontaudit_send_commplex_main_client_packets($1) - corenet_dontaudit_receive_commplex_main_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_main_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to commplex_main_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_commplex_main_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_main_client_packets'($*)) dnl - - gen_require(` - type commplex_main_client_packet_t; - ') - - allow $1 commplex_main_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_main_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send commplex_main_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_commplex_main_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_main_server_packets'($*)) dnl - - gen_require(` - type commplex_main_server_packet_t; - ') - - allow $1 commplex_main_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_commplex_main_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send commplex_main_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_commplex_main_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_main_server_packets'($*)) dnl - - gen_require(` - type commplex_main_server_packet_t; - ') - - dontaudit $1 commplex_main_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_main_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive commplex_main_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_commplex_main_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_main_server_packets'($*)) dnl - - gen_require(` - type commplex_main_server_packet_t; - ') - - allow $1 commplex_main_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_main_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive commplex_main_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_commplex_main_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_main_server_packets'($*)) dnl - - gen_require(` - type commplex_main_server_packet_t; - ') - - dontaudit $1 commplex_main_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_main_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive commplex_main_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_commplex_main_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_main_server_packets'($*)) dnl - - corenet_send_commplex_main_server_packets($1) - corenet_receive_commplex_main_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_main_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive commplex_main_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_commplex_main_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_main_server_packets'($*)) dnl - - corenet_dontaudit_send_commplex_main_server_packets($1) - corenet_dontaudit_receive_commplex_main_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_main_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to commplex_main_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_commplex_main_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_main_server_packets'($*)) dnl - - gen_require(` - type commplex_main_server_packet_t; - ') - - allow $1 commplex_main_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_main_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the comsat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_comsat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_comsat_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the comsat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_comsat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_comsat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the comsat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_comsat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_comsat_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the comsat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_comsat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_comsat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the comsat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_comsat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_comsat_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the comsat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_comsat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_comsat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the comsat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_comsat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_comsat_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the comsat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_comsat_port'($*)) dnl - - gen_require(` - type comsat_port_t; - ') - - allow $1 comsat_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_comsat_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the comsat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_comsat_port'($*)) dnl - - gen_require(` - type comsat_port_t; - ') - - allow $1 comsat_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_comsat_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the comsat port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_comsat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_comsat_port'($*)) dnl - - gen_require(` - type comsat_port_t; - ') - - allow $1 comsat_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_comsat_port'($*)) dnl - ') - - - -######################################## -## -## Send comsat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_comsat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_comsat_client_packets'($*)) dnl - - gen_require(` - type comsat_client_packet_t; - ') - - allow $1 comsat_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_comsat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send comsat_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_comsat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_comsat_client_packets'($*)) dnl - - gen_require(` - type comsat_client_packet_t; - ') - - dontaudit $1 comsat_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_comsat_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive comsat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_comsat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_comsat_client_packets'($*)) dnl - - gen_require(` - type comsat_client_packet_t; - ') - - allow $1 comsat_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_comsat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive comsat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_comsat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_comsat_client_packets'($*)) dnl - - gen_require(` - type comsat_client_packet_t; - ') - - dontaudit $1 comsat_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_comsat_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive comsat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_comsat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_comsat_client_packets'($*)) dnl - - corenet_send_comsat_client_packets($1) - corenet_receive_comsat_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_comsat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive comsat_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_comsat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_comsat_client_packets'($*)) dnl - - corenet_dontaudit_send_comsat_client_packets($1) - corenet_dontaudit_receive_comsat_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_comsat_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to comsat_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_comsat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_comsat_client_packets'($*)) dnl - - gen_require(` - type comsat_client_packet_t; - ') - - allow $1 comsat_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_comsat_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send comsat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_comsat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_comsat_server_packets'($*)) dnl - - gen_require(` - type comsat_server_packet_t; - ') - - allow $1 comsat_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_comsat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send comsat_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_comsat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_comsat_server_packets'($*)) dnl - - gen_require(` - type comsat_server_packet_t; - ') - - dontaudit $1 comsat_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_comsat_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive comsat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_comsat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_comsat_server_packets'($*)) dnl - - gen_require(` - type comsat_server_packet_t; - ') - - allow $1 comsat_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_comsat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive comsat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_comsat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_comsat_server_packets'($*)) dnl - - gen_require(` - type comsat_server_packet_t; - ') - - dontaudit $1 comsat_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_comsat_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive comsat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_comsat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_comsat_server_packets'($*)) dnl - - corenet_send_comsat_server_packets($1) - corenet_receive_comsat_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_comsat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive comsat_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_comsat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_comsat_server_packets'($*)) dnl - - corenet_dontaudit_send_comsat_server_packets($1) - corenet_dontaudit_receive_comsat_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_comsat_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to comsat_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_comsat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_comsat_server_packets'($*)) dnl - - gen_require(` - type comsat_server_packet_t; - ') - - allow $1 comsat_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_comsat_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the condor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_condor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_condor_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the condor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_condor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_condor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the condor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_condor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_condor_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the condor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_condor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_condor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the condor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_condor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_condor_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the condor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_condor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_condor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the condor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_condor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_condor_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the condor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_condor_port'($*)) dnl - - gen_require(` - type condor_port_t; - ') - - allow $1 condor_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_condor_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the condor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_condor_port'($*)) dnl - - gen_require(` - type condor_port_t; - ') - - allow $1 condor_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_condor_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the condor port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_condor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_condor_port'($*)) dnl - - gen_require(` - type condor_port_t; - ') - - allow $1 condor_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_condor_port'($*)) dnl - ') - - - -######################################## -## -## Send condor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_condor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_condor_client_packets'($*)) dnl - - gen_require(` - type condor_client_packet_t; - ') - - allow $1 condor_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_condor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send condor_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_condor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_condor_client_packets'($*)) dnl - - gen_require(` - type condor_client_packet_t; - ') - - dontaudit $1 condor_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_condor_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive condor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_condor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_condor_client_packets'($*)) dnl - - gen_require(` - type condor_client_packet_t; - ') - - allow $1 condor_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_condor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive condor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_condor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_condor_client_packets'($*)) dnl - - gen_require(` - type condor_client_packet_t; - ') - - dontaudit $1 condor_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_condor_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive condor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_condor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_condor_client_packets'($*)) dnl - - corenet_send_condor_client_packets($1) - corenet_receive_condor_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_condor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive condor_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_condor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_condor_client_packets'($*)) dnl - - corenet_dontaudit_send_condor_client_packets($1) - corenet_dontaudit_receive_condor_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_condor_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to condor_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_condor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_condor_client_packets'($*)) dnl - - gen_require(` - type condor_client_packet_t; - ') - - allow $1 condor_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_condor_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send condor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_condor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_condor_server_packets'($*)) dnl - - gen_require(` - type condor_server_packet_t; - ') - - allow $1 condor_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_condor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send condor_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_condor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_condor_server_packets'($*)) dnl - - gen_require(` - type condor_server_packet_t; - ') - - dontaudit $1 condor_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_condor_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive condor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_condor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_condor_server_packets'($*)) dnl - - gen_require(` - type condor_server_packet_t; - ') - - allow $1 condor_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_condor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive condor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_condor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_condor_server_packets'($*)) dnl - - gen_require(` - type condor_server_packet_t; - ') - - dontaudit $1 condor_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_condor_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive condor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_condor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_condor_server_packets'($*)) dnl - - corenet_send_condor_server_packets($1) - corenet_receive_condor_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_condor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive condor_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_condor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_condor_server_packets'($*)) dnl - - corenet_dontaudit_send_condor_server_packets($1) - corenet_dontaudit_receive_condor_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_condor_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to condor_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_condor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_condor_server_packets'($*)) dnl - - gen_require(` - type condor_server_packet_t; - ') - - allow $1 condor_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_condor_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the couchdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_couchdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the couchdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_couchdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the couchdb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_couchdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the couchdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_couchdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the couchdb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_couchdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the couchdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_couchdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the couchdb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_couchdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the couchdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_couchdb_port'($*)) dnl - - gen_require(` - type couchdb_port_t; - ') - - allow $1 couchdb_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the couchdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_couchdb_port'($*)) dnl - - gen_require(` - type couchdb_port_t; - ') - - allow $1 couchdb_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_couchdb_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the couchdb port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_couchdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_couchdb_port'($*)) dnl - - gen_require(` - type couchdb_port_t; - ') - - allow $1 couchdb_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_couchdb_port'($*)) dnl - ') - - - -######################################## -## -## Send couchdb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_couchdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_couchdb_client_packets'($*)) dnl - - gen_require(` - type couchdb_client_packet_t; - ') - - allow $1 couchdb_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_couchdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send couchdb_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_couchdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_couchdb_client_packets'($*)) dnl - - gen_require(` - type couchdb_client_packet_t; - ') - - dontaudit $1 couchdb_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_couchdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive couchdb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_couchdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_couchdb_client_packets'($*)) dnl - - gen_require(` - type couchdb_client_packet_t; - ') - - allow $1 couchdb_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_couchdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive couchdb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_couchdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_couchdb_client_packets'($*)) dnl - - gen_require(` - type couchdb_client_packet_t; - ') - - dontaudit $1 couchdb_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_couchdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive couchdb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_couchdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_couchdb_client_packets'($*)) dnl - - corenet_send_couchdb_client_packets($1) - corenet_receive_couchdb_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_couchdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive couchdb_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_couchdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_couchdb_client_packets'($*)) dnl - - corenet_dontaudit_send_couchdb_client_packets($1) - corenet_dontaudit_receive_couchdb_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_couchdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to couchdb_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_couchdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_couchdb_client_packets'($*)) dnl - - gen_require(` - type couchdb_client_packet_t; - ') - - allow $1 couchdb_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_couchdb_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send couchdb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_couchdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_couchdb_server_packets'($*)) dnl - - gen_require(` - type couchdb_server_packet_t; - ') - - allow $1 couchdb_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_couchdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send couchdb_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_couchdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_couchdb_server_packets'($*)) dnl - - gen_require(` - type couchdb_server_packet_t; - ') - - dontaudit $1 couchdb_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_couchdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive couchdb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_couchdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_couchdb_server_packets'($*)) dnl - - gen_require(` - type couchdb_server_packet_t; - ') - - allow $1 couchdb_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_couchdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive couchdb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_couchdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_couchdb_server_packets'($*)) dnl - - gen_require(` - type couchdb_server_packet_t; - ') - - dontaudit $1 couchdb_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_couchdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive couchdb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_couchdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_couchdb_server_packets'($*)) dnl - - corenet_send_couchdb_server_packets($1) - corenet_receive_couchdb_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_couchdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive couchdb_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_couchdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_couchdb_server_packets'($*)) dnl - - corenet_dontaudit_send_couchdb_server_packets($1) - corenet_dontaudit_receive_couchdb_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_couchdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to couchdb_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_couchdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_couchdb_server_packets'($*)) dnl - - gen_require(` - type couchdb_server_packet_t; - ') - - allow $1 couchdb_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_couchdb_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the cslistener port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cslistener_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the cslistener port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cslistener_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the cslistener port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cslistener_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the cslistener port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cslistener_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the cslistener port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cslistener_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the cslistener port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cslistener_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the cslistener port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cslistener_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the cslistener port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cslistener_port'($*)) dnl - - gen_require(` - type cslistener_port_t; - ') - - allow $1 cslistener_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the cslistener port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cslistener_port'($*)) dnl - - gen_require(` - type cslistener_port_t; - ') - - allow $1 cslistener_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cslistener_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the cslistener port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_cslistener_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cslistener_port'($*)) dnl - - gen_require(` - type cslistener_port_t; - ') - - allow $1 cslistener_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cslistener_port'($*)) dnl - ') - - - -######################################## -## -## Send cslistener_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cslistener_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cslistener_client_packets'($*)) dnl - - gen_require(` - type cslistener_client_packet_t; - ') - - allow $1 cslistener_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cslistener_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cslistener_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cslistener_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cslistener_client_packets'($*)) dnl - - gen_require(` - type cslistener_client_packet_t; - ') - - dontaudit $1 cslistener_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cslistener_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive cslistener_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cslistener_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cslistener_client_packets'($*)) dnl - - gen_require(` - type cslistener_client_packet_t; - ') - - allow $1 cslistener_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cslistener_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cslistener_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cslistener_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cslistener_client_packets'($*)) dnl - - gen_require(` - type cslistener_client_packet_t; - ') - - dontaudit $1 cslistener_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cslistener_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cslistener_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cslistener_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cslistener_client_packets'($*)) dnl - - corenet_send_cslistener_client_packets($1) - corenet_receive_cslistener_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cslistener_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cslistener_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cslistener_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cslistener_client_packets'($*)) dnl - - corenet_dontaudit_send_cslistener_client_packets($1) - corenet_dontaudit_receive_cslistener_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cslistener_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cslistener_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cslistener_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cslistener_client_packets'($*)) dnl - - gen_require(` - type cslistener_client_packet_t; - ') - - allow $1 cslistener_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cslistener_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send cslistener_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cslistener_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cslistener_server_packets'($*)) dnl - - gen_require(` - type cslistener_server_packet_t; - ') - - allow $1 cslistener_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cslistener_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cslistener_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cslistener_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cslistener_server_packets'($*)) dnl - - gen_require(` - type cslistener_server_packet_t; - ') - - dontaudit $1 cslistener_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cslistener_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive cslistener_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cslistener_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cslistener_server_packets'($*)) dnl - - gen_require(` - type cslistener_server_packet_t; - ') - - allow $1 cslistener_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cslistener_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cslistener_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cslistener_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cslistener_server_packets'($*)) dnl - - gen_require(` - type cslistener_server_packet_t; - ') - - dontaudit $1 cslistener_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cslistener_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cslistener_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cslistener_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cslistener_server_packets'($*)) dnl - - corenet_send_cslistener_server_packets($1) - corenet_receive_cslistener_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cslistener_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cslistener_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cslistener_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cslistener_server_packets'($*)) dnl - - corenet_dontaudit_send_cslistener_server_packets($1) - corenet_dontaudit_receive_cslistener_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cslistener_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cslistener_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cslistener_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cslistener_server_packets'($*)) dnl - - gen_require(` - type cslistener_server_packet_t; - ') - - allow $1 cslistener_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cslistener_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ctdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ctdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ctdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ctdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ctdb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ctdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ctdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ctdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ctdb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ctdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ctdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ctdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ctdb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ctdb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ctdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ctdb_port'($*)) dnl - - gen_require(` - type ctdb_port_t; - ') - - allow $1 ctdb_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ctdb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ctdb_port'($*)) dnl - - gen_require(` - type ctdb_port_t; - ') - - allow $1 ctdb_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ctdb_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ctdb port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ctdb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ctdb_port'($*)) dnl - - gen_require(` - type ctdb_port_t; - ') - - allow $1 ctdb_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ctdb_port'($*)) dnl - ') - - - -######################################## -## -## Send ctdb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ctdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ctdb_client_packets'($*)) dnl - - gen_require(` - type ctdb_client_packet_t; - ') - - allow $1 ctdb_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ctdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ctdb_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ctdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ctdb_client_packets'($*)) dnl - - gen_require(` - type ctdb_client_packet_t; - ') - - dontaudit $1 ctdb_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ctdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ctdb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ctdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ctdb_client_packets'($*)) dnl - - gen_require(` - type ctdb_client_packet_t; - ') - - allow $1 ctdb_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ctdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ctdb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ctdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ctdb_client_packets'($*)) dnl - - gen_require(` - type ctdb_client_packet_t; - ') - - dontaudit $1 ctdb_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ctdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ctdb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ctdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ctdb_client_packets'($*)) dnl - - corenet_send_ctdb_client_packets($1) - corenet_receive_ctdb_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ctdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ctdb_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ctdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ctdb_client_packets'($*)) dnl - - corenet_dontaudit_send_ctdb_client_packets($1) - corenet_dontaudit_receive_ctdb_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ctdb_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ctdb_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ctdb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ctdb_client_packets'($*)) dnl - - gen_require(` - type ctdb_client_packet_t; - ') - - allow $1 ctdb_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ctdb_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ctdb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ctdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ctdb_server_packets'($*)) dnl - - gen_require(` - type ctdb_server_packet_t; - ') - - allow $1 ctdb_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ctdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ctdb_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ctdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ctdb_server_packets'($*)) dnl - - gen_require(` - type ctdb_server_packet_t; - ') - - dontaudit $1 ctdb_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ctdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ctdb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ctdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ctdb_server_packets'($*)) dnl - - gen_require(` - type ctdb_server_packet_t; - ') - - allow $1 ctdb_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ctdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ctdb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ctdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ctdb_server_packets'($*)) dnl - - gen_require(` - type ctdb_server_packet_t; - ') - - dontaudit $1 ctdb_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ctdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ctdb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ctdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ctdb_server_packets'($*)) dnl - - corenet_send_ctdb_server_packets($1) - corenet_receive_ctdb_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ctdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ctdb_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ctdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ctdb_server_packets'($*)) dnl - - corenet_dontaudit_send_ctdb_server_packets($1) - corenet_dontaudit_receive_ctdb_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ctdb_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ctdb_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ctdb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ctdb_server_packets'($*)) dnl - - gen_require(` - type ctdb_server_packet_t; - ') - - allow $1 ctdb_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ctdb_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the cvs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cvs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cvs_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the cvs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cvs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_cvs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the cvs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cvs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cvs_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the cvs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cvs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cvs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the cvs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cvs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cvs_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the cvs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cvs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cvs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the cvs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cvs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cvs_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the cvs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cvs_port'($*)) dnl - - gen_require(` - type cvs_port_t; - ') - - allow $1 cvs_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cvs_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the cvs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cvs_port'($*)) dnl - - gen_require(` - type cvs_port_t; - ') - - allow $1 cvs_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cvs_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the cvs port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_cvs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cvs_port'($*)) dnl - - gen_require(` - type cvs_port_t; - ') - - allow $1 cvs_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cvs_port'($*)) dnl - ') - - - -######################################## -## -## Send cvs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cvs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cvs_client_packets'($*)) dnl - - gen_require(` - type cvs_client_packet_t; - ') - - allow $1 cvs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cvs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cvs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cvs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cvs_client_packets'($*)) dnl - - gen_require(` - type cvs_client_packet_t; - ') - - dontaudit $1 cvs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cvs_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive cvs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cvs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cvs_client_packets'($*)) dnl - - gen_require(` - type cvs_client_packet_t; - ') - - allow $1 cvs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cvs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cvs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cvs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cvs_client_packets'($*)) dnl - - gen_require(` - type cvs_client_packet_t; - ') - - dontaudit $1 cvs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cvs_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cvs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cvs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cvs_client_packets'($*)) dnl - - corenet_send_cvs_client_packets($1) - corenet_receive_cvs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cvs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cvs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cvs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cvs_client_packets'($*)) dnl - - corenet_dontaudit_send_cvs_client_packets($1) - corenet_dontaudit_receive_cvs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cvs_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cvs_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cvs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cvs_client_packets'($*)) dnl - - gen_require(` - type cvs_client_packet_t; - ') - - allow $1 cvs_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cvs_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send cvs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cvs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cvs_server_packets'($*)) dnl - - gen_require(` - type cvs_server_packet_t; - ') - - allow $1 cvs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cvs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cvs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cvs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cvs_server_packets'($*)) dnl - - gen_require(` - type cvs_server_packet_t; - ') - - dontaudit $1 cvs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cvs_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive cvs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cvs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cvs_server_packets'($*)) dnl - - gen_require(` - type cvs_server_packet_t; - ') - - allow $1 cvs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cvs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cvs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cvs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cvs_server_packets'($*)) dnl - - gen_require(` - type cvs_server_packet_t; - ') - - dontaudit $1 cvs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cvs_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cvs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cvs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cvs_server_packets'($*)) dnl - - corenet_send_cvs_server_packets($1) - corenet_receive_cvs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cvs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cvs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cvs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cvs_server_packets'($*)) dnl - - corenet_dontaudit_send_cvs_server_packets($1) - corenet_dontaudit_receive_cvs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cvs_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cvs_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cvs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cvs_server_packets'($*)) dnl - - gen_require(` - type cvs_server_packet_t; - ') - - allow $1 cvs_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cvs_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the cyphesis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cyphesis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the cyphesis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cyphesis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the cyphesis port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cyphesis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the cyphesis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cyphesis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the cyphesis port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cyphesis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the cyphesis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cyphesis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the cyphesis port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cyphesis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the cyphesis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cyphesis_port'($*)) dnl - - gen_require(` - type cyphesis_port_t; - ') - - allow $1 cyphesis_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the cyphesis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cyphesis_port'($*)) dnl - - gen_require(` - type cyphesis_port_t; - ') - - allow $1 cyphesis_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cyphesis_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the cyphesis port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_cyphesis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cyphesis_port'($*)) dnl - - gen_require(` - type cyphesis_port_t; - ') - - allow $1 cyphesis_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cyphesis_port'($*)) dnl - ') - - - -######################################## -## -## Send cyphesis_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cyphesis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cyphesis_client_packets'($*)) dnl - - gen_require(` - type cyphesis_client_packet_t; - ') - - allow $1 cyphesis_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cyphesis_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cyphesis_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cyphesis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyphesis_client_packets'($*)) dnl - - gen_require(` - type cyphesis_client_packet_t; - ') - - dontaudit $1 cyphesis_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyphesis_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive cyphesis_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cyphesis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cyphesis_client_packets'($*)) dnl - - gen_require(` - type cyphesis_client_packet_t; - ') - - allow $1 cyphesis_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cyphesis_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cyphesis_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cyphesis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyphesis_client_packets'($*)) dnl - - gen_require(` - type cyphesis_client_packet_t; - ') - - dontaudit $1 cyphesis_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyphesis_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cyphesis_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cyphesis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyphesis_client_packets'($*)) dnl - - corenet_send_cyphesis_client_packets($1) - corenet_receive_cyphesis_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyphesis_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cyphesis_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cyphesis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyphesis_client_packets'($*)) dnl - - corenet_dontaudit_send_cyphesis_client_packets($1) - corenet_dontaudit_receive_cyphesis_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyphesis_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cyphesis_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cyphesis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyphesis_client_packets'($*)) dnl - - gen_require(` - type cyphesis_client_packet_t; - ') - - allow $1 cyphesis_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyphesis_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send cyphesis_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_cyphesis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_cyphesis_server_packets'($*)) dnl - - gen_require(` - type cyphesis_server_packet_t; - ') - - allow $1 cyphesis_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_cyphesis_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send cyphesis_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_cyphesis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyphesis_server_packets'($*)) dnl - - gen_require(` - type cyphesis_server_packet_t; - ') - - dontaudit $1 cyphesis_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyphesis_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive cyphesis_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_cyphesis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_cyphesis_server_packets'($*)) dnl - - gen_require(` - type cyphesis_server_packet_t; - ') - - allow $1 cyphesis_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_cyphesis_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive cyphesis_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_cyphesis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyphesis_server_packets'($*)) dnl - - gen_require(` - type cyphesis_server_packet_t; - ') - - dontaudit $1 cyphesis_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyphesis_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive cyphesis_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_cyphesis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyphesis_server_packets'($*)) dnl - - corenet_send_cyphesis_server_packets($1) - corenet_receive_cyphesis_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyphesis_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive cyphesis_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_cyphesis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyphesis_server_packets'($*)) dnl - - corenet_dontaudit_send_cyphesis_server_packets($1) - corenet_dontaudit_receive_cyphesis_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyphesis_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to cyphesis_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_cyphesis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyphesis_server_packets'($*)) dnl - - gen_require(` - type cyphesis_server_packet_t; - ') - - allow $1 cyphesis_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyphesis_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the daap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_daap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_daap_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the daap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_daap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_daap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the daap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_daap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_daap_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the daap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_daap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_daap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the daap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_daap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_daap_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the daap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_daap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_daap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the daap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_daap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_daap_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the daap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_daap_port'($*)) dnl - - gen_require(` - type daap_port_t; - ') - - allow $1 daap_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_daap_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the daap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_daap_port'($*)) dnl - - gen_require(` - type daap_port_t; - ') - - allow $1 daap_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_daap_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the daap port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_daap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_daap_port'($*)) dnl - - gen_require(` - type daap_port_t; - ') - - allow $1 daap_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_daap_port'($*)) dnl - ') - - - -######################################## -## -## Send daap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_daap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_daap_client_packets'($*)) dnl - - gen_require(` - type daap_client_packet_t; - ') - - allow $1 daap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_daap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send daap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_daap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_daap_client_packets'($*)) dnl - - gen_require(` - type daap_client_packet_t; - ') - - dontaudit $1 daap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_daap_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive daap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_daap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_daap_client_packets'($*)) dnl - - gen_require(` - type daap_client_packet_t; - ') - - allow $1 daap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_daap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive daap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_daap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_daap_client_packets'($*)) dnl - - gen_require(` - type daap_client_packet_t; - ') - - dontaudit $1 daap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_daap_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive daap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_daap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_daap_client_packets'($*)) dnl - - corenet_send_daap_client_packets($1) - corenet_receive_daap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_daap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive daap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_daap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_daap_client_packets'($*)) dnl - - corenet_dontaudit_send_daap_client_packets($1) - corenet_dontaudit_receive_daap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_daap_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to daap_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_daap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_daap_client_packets'($*)) dnl - - gen_require(` - type daap_client_packet_t; - ') - - allow $1 daap_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_daap_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send daap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_daap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_daap_server_packets'($*)) dnl - - gen_require(` - type daap_server_packet_t; - ') - - allow $1 daap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_daap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send daap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_daap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_daap_server_packets'($*)) dnl - - gen_require(` - type daap_server_packet_t; - ') - - dontaudit $1 daap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_daap_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive daap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_daap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_daap_server_packets'($*)) dnl - - gen_require(` - type daap_server_packet_t; - ') - - allow $1 daap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_daap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive daap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_daap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_daap_server_packets'($*)) dnl - - gen_require(` - type daap_server_packet_t; - ') - - dontaudit $1 daap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_daap_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive daap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_daap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_daap_server_packets'($*)) dnl - - corenet_send_daap_server_packets($1) - corenet_receive_daap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_daap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive daap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_daap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_daap_server_packets'($*)) dnl - - corenet_dontaudit_send_daap_server_packets($1) - corenet_dontaudit_receive_daap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_daap_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to daap_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_daap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_daap_server_packets'($*)) dnl - - gen_require(` - type daap_server_packet_t; - ') - - allow $1 daap_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_daap_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the dbskkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dbskkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the dbskkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dbskkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the dbskkd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dbskkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the dbskkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dbskkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the dbskkd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dbskkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the dbskkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dbskkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the dbskkd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dbskkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the dbskkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dbskkd_port'($*)) dnl - - gen_require(` - type dbskkd_port_t; - ') - - allow $1 dbskkd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the dbskkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dbskkd_port'($*)) dnl - - gen_require(` - type dbskkd_port_t; - ') - - allow $1 dbskkd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dbskkd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the dbskkd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_dbskkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dbskkd_port'($*)) dnl - - gen_require(` - type dbskkd_port_t; - ') - - allow $1 dbskkd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dbskkd_port'($*)) dnl - ') - - - -######################################## -## -## Send dbskkd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dbskkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dbskkd_client_packets'($*)) dnl - - gen_require(` - type dbskkd_client_packet_t; - ') - - allow $1 dbskkd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dbskkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dbskkd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dbskkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dbskkd_client_packets'($*)) dnl - - gen_require(` - type dbskkd_client_packet_t; - ') - - dontaudit $1 dbskkd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dbskkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive dbskkd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dbskkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dbskkd_client_packets'($*)) dnl - - gen_require(` - type dbskkd_client_packet_t; - ') - - allow $1 dbskkd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dbskkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dbskkd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dbskkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dbskkd_client_packets'($*)) dnl - - gen_require(` - type dbskkd_client_packet_t; - ') - - dontaudit $1 dbskkd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dbskkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dbskkd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dbskkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dbskkd_client_packets'($*)) dnl - - corenet_send_dbskkd_client_packets($1) - corenet_receive_dbskkd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dbskkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dbskkd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dbskkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dbskkd_client_packets'($*)) dnl - - corenet_dontaudit_send_dbskkd_client_packets($1) - corenet_dontaudit_receive_dbskkd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dbskkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dbskkd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dbskkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dbskkd_client_packets'($*)) dnl - - gen_require(` - type dbskkd_client_packet_t; - ') - - allow $1 dbskkd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dbskkd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send dbskkd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dbskkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dbskkd_server_packets'($*)) dnl - - gen_require(` - type dbskkd_server_packet_t; - ') - - allow $1 dbskkd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dbskkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dbskkd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dbskkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dbskkd_server_packets'($*)) dnl - - gen_require(` - type dbskkd_server_packet_t; - ') - - dontaudit $1 dbskkd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dbskkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive dbskkd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dbskkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dbskkd_server_packets'($*)) dnl - - gen_require(` - type dbskkd_server_packet_t; - ') - - allow $1 dbskkd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dbskkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dbskkd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dbskkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dbskkd_server_packets'($*)) dnl - - gen_require(` - type dbskkd_server_packet_t; - ') - - dontaudit $1 dbskkd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dbskkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dbskkd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dbskkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dbskkd_server_packets'($*)) dnl - - corenet_send_dbskkd_server_packets($1) - corenet_receive_dbskkd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dbskkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dbskkd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dbskkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dbskkd_server_packets'($*)) dnl - - corenet_dontaudit_send_dbskkd_server_packets($1) - corenet_dontaudit_receive_dbskkd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dbskkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dbskkd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dbskkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dbskkd_server_packets'($*)) dnl - - gen_require(` - type dbskkd_server_packet_t; - ') - - allow $1 dbskkd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dbskkd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the dcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dcc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the dcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_dcc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the dcc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dcc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the dcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dcc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the dcc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dcc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the dcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dcc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the dcc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dcc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the dcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dcc_port'($*)) dnl - - gen_require(` - type dcc_port_t; - ') - - allow $1 dcc_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dcc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the dcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dcc_port'($*)) dnl - - gen_require(` - type dcc_port_t; - ') - - allow $1 dcc_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dcc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the dcc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_dcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dcc_port'($*)) dnl - - gen_require(` - type dcc_port_t; - ') - - allow $1 dcc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dcc_port'($*)) dnl - ') - - - -######################################## -## -## Send dcc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dcc_client_packets'($*)) dnl - - gen_require(` - type dcc_client_packet_t; - ') - - allow $1 dcc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dcc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dcc_client_packets'($*)) dnl - - gen_require(` - type dcc_client_packet_t; - ') - - dontaudit $1 dcc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive dcc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dcc_client_packets'($*)) dnl - - gen_require(` - type dcc_client_packet_t; - ') - - allow $1 dcc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dcc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dcc_client_packets'($*)) dnl - - gen_require(` - type dcc_client_packet_t; - ') - - dontaudit $1 dcc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dcc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dcc_client_packets'($*)) dnl - - corenet_send_dcc_client_packets($1) - corenet_receive_dcc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dcc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dcc_client_packets'($*)) dnl - - corenet_dontaudit_send_dcc_client_packets($1) - corenet_dontaudit_receive_dcc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dcc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dcc_client_packets'($*)) dnl - - gen_require(` - type dcc_client_packet_t; - ') - - allow $1 dcc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dcc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send dcc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dcc_server_packets'($*)) dnl - - gen_require(` - type dcc_server_packet_t; - ') - - allow $1 dcc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dcc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dcc_server_packets'($*)) dnl - - gen_require(` - type dcc_server_packet_t; - ') - - dontaudit $1 dcc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive dcc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dcc_server_packets'($*)) dnl - - gen_require(` - type dcc_server_packet_t; - ') - - allow $1 dcc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dcc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dcc_server_packets'($*)) dnl - - gen_require(` - type dcc_server_packet_t; - ') - - dontaudit $1 dcc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dcc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dcc_server_packets'($*)) dnl - - corenet_send_dcc_server_packets($1) - corenet_receive_dcc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dcc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dcc_server_packets'($*)) dnl - - corenet_dontaudit_send_dcc_server_packets($1) - corenet_dontaudit_receive_dcc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dcc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dcc_server_packets'($*)) dnl - - gen_require(` - type dcc_server_packet_t; - ') - - allow $1 dcc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dcc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the dccm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dccm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dccm_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the dccm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dccm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_dccm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the dccm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dccm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dccm_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the dccm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dccm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dccm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the dccm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dccm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dccm_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the dccm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dccm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dccm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the dccm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dccm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dccm_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the dccm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dccm_port'($*)) dnl - - gen_require(` - type dccm_port_t; - ') - - allow $1 dccm_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dccm_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the dccm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dccm_port'($*)) dnl - - gen_require(` - type dccm_port_t; - ') - - allow $1 dccm_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dccm_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the dccm port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_dccm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dccm_port'($*)) dnl - - gen_require(` - type dccm_port_t; - ') - - allow $1 dccm_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dccm_port'($*)) dnl - ') - - - -######################################## -## -## Send dccm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dccm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dccm_client_packets'($*)) dnl - - gen_require(` - type dccm_client_packet_t; - ') - - allow $1 dccm_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dccm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dccm_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dccm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dccm_client_packets'($*)) dnl - - gen_require(` - type dccm_client_packet_t; - ') - - dontaudit $1 dccm_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dccm_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive dccm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dccm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dccm_client_packets'($*)) dnl - - gen_require(` - type dccm_client_packet_t; - ') - - allow $1 dccm_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dccm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dccm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dccm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dccm_client_packets'($*)) dnl - - gen_require(` - type dccm_client_packet_t; - ') - - dontaudit $1 dccm_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dccm_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dccm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dccm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dccm_client_packets'($*)) dnl - - corenet_send_dccm_client_packets($1) - corenet_receive_dccm_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dccm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dccm_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dccm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dccm_client_packets'($*)) dnl - - corenet_dontaudit_send_dccm_client_packets($1) - corenet_dontaudit_receive_dccm_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dccm_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dccm_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dccm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dccm_client_packets'($*)) dnl - - gen_require(` - type dccm_client_packet_t; - ') - - allow $1 dccm_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dccm_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send dccm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dccm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dccm_server_packets'($*)) dnl - - gen_require(` - type dccm_server_packet_t; - ') - - allow $1 dccm_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dccm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dccm_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dccm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dccm_server_packets'($*)) dnl - - gen_require(` - type dccm_server_packet_t; - ') - - dontaudit $1 dccm_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dccm_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive dccm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dccm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dccm_server_packets'($*)) dnl - - gen_require(` - type dccm_server_packet_t; - ') - - allow $1 dccm_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dccm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dccm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dccm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dccm_server_packets'($*)) dnl - - gen_require(` - type dccm_server_packet_t; - ') - - dontaudit $1 dccm_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dccm_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dccm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dccm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dccm_server_packets'($*)) dnl - - corenet_send_dccm_server_packets($1) - corenet_receive_dccm_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dccm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dccm_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dccm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dccm_server_packets'($*)) dnl - - corenet_dontaudit_send_dccm_server_packets($1) - corenet_dontaudit_receive_dccm_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dccm_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dccm_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dccm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dccm_server_packets'($*)) dnl - - gen_require(` - type dccm_server_packet_t; - ') - - allow $1 dccm_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dccm_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the dhcpc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dhcpc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the dhcpc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dhcpc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the dhcpc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dhcpc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the dhcpc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dhcpc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the dhcpc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dhcpc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the dhcpc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dhcpc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the dhcpc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dhcpc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the dhcpc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dhcpc_port'($*)) dnl - - gen_require(` - type dhcpc_port_t; - ') - - allow $1 dhcpc_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the dhcpc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dhcpc_port'($*)) dnl - - gen_require(` - type dhcpc_port_t; - ') - - allow $1 dhcpc_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dhcpc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the dhcpc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_dhcpc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dhcpc_port'($*)) dnl - - gen_require(` - type dhcpc_port_t; - ') - - allow $1 dhcpc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dhcpc_port'($*)) dnl - ') - - - -######################################## -## -## Send dhcpc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dhcpc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpc_client_packets'($*)) dnl - - gen_require(` - type dhcpc_client_packet_t; - ') - - allow $1 dhcpc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dhcpc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dhcpc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dhcpc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpc_client_packets'($*)) dnl - - gen_require(` - type dhcpc_client_packet_t; - ') - - dontaudit $1 dhcpc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive dhcpc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dhcpc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpc_client_packets'($*)) dnl - - gen_require(` - type dhcpc_client_packet_t; - ') - - allow $1 dhcpc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dhcpc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dhcpc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpc_client_packets'($*)) dnl - - gen_require(` - type dhcpc_client_packet_t; - ') - - dontaudit $1 dhcpc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dhcpc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dhcpc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpc_client_packets'($*)) dnl - - corenet_send_dhcpc_client_packets($1) - corenet_receive_dhcpc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dhcpc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dhcpc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpc_client_packets'($*)) dnl - - corenet_dontaudit_send_dhcpc_client_packets($1) - corenet_dontaudit_receive_dhcpc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dhcpc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dhcpc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpc_client_packets'($*)) dnl - - gen_require(` - type dhcpc_client_packet_t; - ') - - allow $1 dhcpc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send dhcpc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dhcpc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpc_server_packets'($*)) dnl - - gen_require(` - type dhcpc_server_packet_t; - ') - - allow $1 dhcpc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dhcpc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dhcpc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dhcpc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpc_server_packets'($*)) dnl - - gen_require(` - type dhcpc_server_packet_t; - ') - - dontaudit $1 dhcpc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive dhcpc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dhcpc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpc_server_packets'($*)) dnl - - gen_require(` - type dhcpc_server_packet_t; - ') - - allow $1 dhcpc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dhcpc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dhcpc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpc_server_packets'($*)) dnl - - gen_require(` - type dhcpc_server_packet_t; - ') - - dontaudit $1 dhcpc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dhcpc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dhcpc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpc_server_packets'($*)) dnl - - corenet_send_dhcpc_server_packets($1) - corenet_receive_dhcpc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dhcpc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dhcpc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpc_server_packets'($*)) dnl - - corenet_dontaudit_send_dhcpc_server_packets($1) - corenet_dontaudit_receive_dhcpc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dhcpc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dhcpc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpc_server_packets'($*)) dnl - - gen_require(` - type dhcpc_server_packet_t; - ') - - allow $1 dhcpc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the dhcpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dhcpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the dhcpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dhcpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the dhcpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dhcpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the dhcpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dhcpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the dhcpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dhcpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the dhcpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dhcpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the dhcpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dhcpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the dhcpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dhcpd_port'($*)) dnl - - gen_require(` - type dhcpd_port_t; - ') - - allow $1 dhcpd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the dhcpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dhcpd_port'($*)) dnl - - gen_require(` - type dhcpd_port_t; - ') - - allow $1 dhcpd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dhcpd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the dhcpd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_dhcpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dhcpd_port'($*)) dnl - - gen_require(` - type dhcpd_port_t; - ') - - allow $1 dhcpd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dhcpd_port'($*)) dnl - ') - - - -######################################## -## -## Send dhcpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dhcpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpd_client_packets'($*)) dnl - - gen_require(` - type dhcpd_client_packet_t; - ') - - allow $1 dhcpd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dhcpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dhcpd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dhcpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpd_client_packets'($*)) dnl - - gen_require(` - type dhcpd_client_packet_t; - ') - - dontaudit $1 dhcpd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive dhcpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dhcpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpd_client_packets'($*)) dnl - - gen_require(` - type dhcpd_client_packet_t; - ') - - allow $1 dhcpd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dhcpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dhcpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpd_client_packets'($*)) dnl - - gen_require(` - type dhcpd_client_packet_t; - ') - - dontaudit $1 dhcpd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dhcpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dhcpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpd_client_packets'($*)) dnl - - corenet_send_dhcpd_client_packets($1) - corenet_receive_dhcpd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dhcpd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dhcpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpd_client_packets'($*)) dnl - - corenet_dontaudit_send_dhcpd_client_packets($1) - corenet_dontaudit_receive_dhcpd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dhcpd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dhcpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpd_client_packets'($*)) dnl - - gen_require(` - type dhcpd_client_packet_t; - ') - - allow $1 dhcpd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send dhcpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dhcpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpd_server_packets'($*)) dnl - - gen_require(` - type dhcpd_server_packet_t; - ') - - allow $1 dhcpd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dhcpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dhcpd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dhcpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpd_server_packets'($*)) dnl - - gen_require(` - type dhcpd_server_packet_t; - ') - - dontaudit $1 dhcpd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive dhcpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dhcpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpd_server_packets'($*)) dnl - - gen_require(` - type dhcpd_server_packet_t; - ') - - allow $1 dhcpd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dhcpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dhcpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpd_server_packets'($*)) dnl - - gen_require(` - type dhcpd_server_packet_t; - ') - - dontaudit $1 dhcpd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dhcpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dhcpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpd_server_packets'($*)) dnl - - corenet_send_dhcpd_server_packets($1) - corenet_receive_dhcpd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dhcpd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dhcpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpd_server_packets'($*)) dnl - - corenet_dontaudit_send_dhcpd_server_packets($1) - corenet_dontaudit_receive_dhcpd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dhcpd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dhcpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpd_server_packets'($*)) dnl - - gen_require(` - type dhcpd_server_packet_t; - ') - - allow $1 dhcpd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the dict port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dict_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dict_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the dict port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dict_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_dict_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the dict port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dict_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dict_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the dict port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dict_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dict_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the dict port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dict_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dict_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the dict port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dict_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dict_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the dict port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dict_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dict_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the dict port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dict_port'($*)) dnl - - gen_require(` - type dict_port_t; - ') - - allow $1 dict_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dict_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the dict port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dict_port'($*)) dnl - - gen_require(` - type dict_port_t; - ') - - allow $1 dict_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dict_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the dict port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_dict_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dict_port'($*)) dnl - - gen_require(` - type dict_port_t; - ') - - allow $1 dict_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dict_port'($*)) dnl - ') - - - -######################################## -## -## Send dict_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dict_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dict_client_packets'($*)) dnl - - gen_require(` - type dict_client_packet_t; - ') - - allow $1 dict_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dict_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dict_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dict_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dict_client_packets'($*)) dnl - - gen_require(` - type dict_client_packet_t; - ') - - dontaudit $1 dict_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dict_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive dict_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dict_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dict_client_packets'($*)) dnl - - gen_require(` - type dict_client_packet_t; - ') - - allow $1 dict_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dict_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dict_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dict_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dict_client_packets'($*)) dnl - - gen_require(` - type dict_client_packet_t; - ') - - dontaudit $1 dict_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dict_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dict_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dict_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dict_client_packets'($*)) dnl - - corenet_send_dict_client_packets($1) - corenet_receive_dict_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dict_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dict_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dict_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dict_client_packets'($*)) dnl - - corenet_dontaudit_send_dict_client_packets($1) - corenet_dontaudit_receive_dict_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dict_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dict_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dict_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dict_client_packets'($*)) dnl - - gen_require(` - type dict_client_packet_t; - ') - - allow $1 dict_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dict_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send dict_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dict_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dict_server_packets'($*)) dnl - - gen_require(` - type dict_server_packet_t; - ') - - allow $1 dict_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dict_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dict_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dict_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dict_server_packets'($*)) dnl - - gen_require(` - type dict_server_packet_t; - ') - - dontaudit $1 dict_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dict_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive dict_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dict_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dict_server_packets'($*)) dnl - - gen_require(` - type dict_server_packet_t; - ') - - allow $1 dict_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dict_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dict_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dict_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dict_server_packets'($*)) dnl - - gen_require(` - type dict_server_packet_t; - ') - - dontaudit $1 dict_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dict_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dict_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dict_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dict_server_packets'($*)) dnl - - corenet_send_dict_server_packets($1) - corenet_receive_dict_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dict_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dict_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dict_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dict_server_packets'($*)) dnl - - corenet_dontaudit_send_dict_server_packets($1) - corenet_dontaudit_receive_dict_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dict_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dict_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dict_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dict_server_packets'($*)) dnl - - gen_require(` - type dict_server_packet_t; - ') - - allow $1 dict_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dict_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the distccd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_distccd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_distccd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the distccd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_distccd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_distccd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the distccd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_distccd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_distccd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the distccd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_distccd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_distccd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the distccd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_distccd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_distccd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the distccd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_distccd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_distccd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the distccd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_distccd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_distccd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the distccd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_distccd_port'($*)) dnl - - gen_require(` - type distccd_port_t; - ') - - allow $1 distccd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_distccd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the distccd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_distccd_port'($*)) dnl - - gen_require(` - type distccd_port_t; - ') - - allow $1 distccd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_distccd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the distccd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_distccd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_distccd_port'($*)) dnl - - gen_require(` - type distccd_port_t; - ') - - allow $1 distccd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_distccd_port'($*)) dnl - ') - - - -######################################## -## -## Send distccd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_distccd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_distccd_client_packets'($*)) dnl - - gen_require(` - type distccd_client_packet_t; - ') - - allow $1 distccd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_distccd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send distccd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_distccd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_distccd_client_packets'($*)) dnl - - gen_require(` - type distccd_client_packet_t; - ') - - dontaudit $1 distccd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_distccd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive distccd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_distccd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_distccd_client_packets'($*)) dnl - - gen_require(` - type distccd_client_packet_t; - ') - - allow $1 distccd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_distccd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive distccd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_distccd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_distccd_client_packets'($*)) dnl - - gen_require(` - type distccd_client_packet_t; - ') - - dontaudit $1 distccd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_distccd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive distccd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_distccd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_distccd_client_packets'($*)) dnl - - corenet_send_distccd_client_packets($1) - corenet_receive_distccd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_distccd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive distccd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_distccd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_distccd_client_packets'($*)) dnl - - corenet_dontaudit_send_distccd_client_packets($1) - corenet_dontaudit_receive_distccd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_distccd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to distccd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_distccd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_distccd_client_packets'($*)) dnl - - gen_require(` - type distccd_client_packet_t; - ') - - allow $1 distccd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_distccd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send distccd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_distccd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_distccd_server_packets'($*)) dnl - - gen_require(` - type distccd_server_packet_t; - ') - - allow $1 distccd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_distccd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send distccd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_distccd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_distccd_server_packets'($*)) dnl - - gen_require(` - type distccd_server_packet_t; - ') - - dontaudit $1 distccd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_distccd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive distccd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_distccd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_distccd_server_packets'($*)) dnl - - gen_require(` - type distccd_server_packet_t; - ') - - allow $1 distccd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_distccd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive distccd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_distccd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_distccd_server_packets'($*)) dnl - - gen_require(` - type distccd_server_packet_t; - ') - - dontaudit $1 distccd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_distccd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive distccd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_distccd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_distccd_server_packets'($*)) dnl - - corenet_send_distccd_server_packets($1) - corenet_receive_distccd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_distccd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive distccd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_distccd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_distccd_server_packets'($*)) dnl - - corenet_dontaudit_send_distccd_server_packets($1) - corenet_dontaudit_receive_distccd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_distccd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to distccd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_distccd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_distccd_server_packets'($*)) dnl - - gen_require(` - type distccd_server_packet_t; - ') - - allow $1 distccd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_distccd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the dns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dns_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the dns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_dns_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the dns port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dns_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the dns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dns_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the dns port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dns_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the dns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dns_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the dns port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dns_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the dns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dns_port'($*)) dnl - - gen_require(` - type dns_port_t; - ') - - allow $1 dns_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dns_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the dns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dns_port'($*)) dnl - - gen_require(` - type dns_port_t; - ') - - allow $1 dns_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dns_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the dns port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_dns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dns_port'($*)) dnl - - gen_require(` - type dns_port_t; - ') - - allow $1 dns_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dns_port'($*)) dnl - ') - - - -######################################## -## -## Send dns_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dns_client_packets'($*)) dnl - - gen_require(` - type dns_client_packet_t; - ') - - allow $1 dns_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dns_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dns_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dns_client_packets'($*)) dnl - - gen_require(` - type dns_client_packet_t; - ') - - dontaudit $1 dns_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dns_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive dns_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dns_client_packets'($*)) dnl - - gen_require(` - type dns_client_packet_t; - ') - - allow $1 dns_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dns_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dns_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dns_client_packets'($*)) dnl - - gen_require(` - type dns_client_packet_t; - ') - - dontaudit $1 dns_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dns_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dns_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dns_client_packets'($*)) dnl - - corenet_send_dns_client_packets($1) - corenet_receive_dns_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dns_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dns_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dns_client_packets'($*)) dnl - - corenet_dontaudit_send_dns_client_packets($1) - corenet_dontaudit_receive_dns_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dns_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dns_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dns_client_packets'($*)) dnl - - gen_require(` - type dns_client_packet_t; - ') - - allow $1 dns_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dns_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send dns_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dns_server_packets'($*)) dnl - - gen_require(` - type dns_server_packet_t; - ') - - allow $1 dns_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dns_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dns_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dns_server_packets'($*)) dnl - - gen_require(` - type dns_server_packet_t; - ') - - dontaudit $1 dns_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dns_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive dns_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dns_server_packets'($*)) dnl - - gen_require(` - type dns_server_packet_t; - ') - - allow $1 dns_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dns_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dns_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dns_server_packets'($*)) dnl - - gen_require(` - type dns_server_packet_t; - ') - - dontaudit $1 dns_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dns_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dns_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dns_server_packets'($*)) dnl - - corenet_send_dns_server_packets($1) - corenet_receive_dns_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dns_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dns_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dns_server_packets'($*)) dnl - - corenet_dontaudit_send_dns_server_packets($1) - corenet_dontaudit_receive_dns_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dns_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dns_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dns_server_packets'($*)) dnl - - gen_require(` - type dns_server_packet_t; - ') - - allow $1 dns_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dns_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the dropbox port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dropbox_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the dropbox port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dropbox_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the dropbox port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dropbox_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the dropbox port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dropbox_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the dropbox port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dropbox_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the dropbox port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dropbox_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the dropbox port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dropbox_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the dropbox port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dropbox_port'($*)) dnl - - gen_require(` - type dropbox_port_t; - ') - - allow $1 dropbox_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the dropbox port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dropbox_port'($*)) dnl - - gen_require(` - type dropbox_port_t; - ') - - allow $1 dropbox_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dropbox_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the dropbox port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_dropbox_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dropbox_port'($*)) dnl - - gen_require(` - type dropbox_port_t; - ') - - allow $1 dropbox_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dropbox_port'($*)) dnl - ') - - - -######################################## -## -## Send dropbox_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dropbox_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dropbox_client_packets'($*)) dnl - - gen_require(` - type dropbox_client_packet_t; - ') - - allow $1 dropbox_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dropbox_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dropbox_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dropbox_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dropbox_client_packets'($*)) dnl - - gen_require(` - type dropbox_client_packet_t; - ') - - dontaudit $1 dropbox_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dropbox_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive dropbox_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dropbox_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dropbox_client_packets'($*)) dnl - - gen_require(` - type dropbox_client_packet_t; - ') - - allow $1 dropbox_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dropbox_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dropbox_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dropbox_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dropbox_client_packets'($*)) dnl - - gen_require(` - type dropbox_client_packet_t; - ') - - dontaudit $1 dropbox_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dropbox_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dropbox_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dropbox_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dropbox_client_packets'($*)) dnl - - corenet_send_dropbox_client_packets($1) - corenet_receive_dropbox_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dropbox_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dropbox_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dropbox_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dropbox_client_packets'($*)) dnl - - corenet_dontaudit_send_dropbox_client_packets($1) - corenet_dontaudit_receive_dropbox_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dropbox_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dropbox_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dropbox_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dropbox_client_packets'($*)) dnl - - gen_require(` - type dropbox_client_packet_t; - ') - - allow $1 dropbox_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dropbox_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send dropbox_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_dropbox_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_dropbox_server_packets'($*)) dnl - - gen_require(` - type dropbox_server_packet_t; - ') - - allow $1 dropbox_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_dropbox_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send dropbox_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_dropbox_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dropbox_server_packets'($*)) dnl - - gen_require(` - type dropbox_server_packet_t; - ') - - dontaudit $1 dropbox_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dropbox_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive dropbox_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_dropbox_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_dropbox_server_packets'($*)) dnl - - gen_require(` - type dropbox_server_packet_t; - ') - - allow $1 dropbox_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_dropbox_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive dropbox_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_dropbox_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dropbox_server_packets'($*)) dnl - - gen_require(` - type dropbox_server_packet_t; - ') - - dontaudit $1 dropbox_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dropbox_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive dropbox_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_dropbox_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dropbox_server_packets'($*)) dnl - - corenet_send_dropbox_server_packets($1) - corenet_receive_dropbox_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dropbox_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive dropbox_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_dropbox_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dropbox_server_packets'($*)) dnl - - corenet_dontaudit_send_dropbox_server_packets($1) - corenet_dontaudit_receive_dropbox_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dropbox_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to dropbox_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_dropbox_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dropbox_server_packets'($*)) dnl - - gen_require(` - type dropbox_server_packet_t; - ') - - allow $1 dropbox_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_dropbox_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the efs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_efs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_efs_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the efs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_efs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_efs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the efs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_efs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_efs_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the efs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_efs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_efs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the efs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_efs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_efs_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the efs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_efs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_efs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the efs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_efs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_efs_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the efs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_efs_port'($*)) dnl - - gen_require(` - type efs_port_t; - ') - - allow $1 efs_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_efs_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the efs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_efs_port'($*)) dnl - - gen_require(` - type efs_port_t; - ') - - allow $1 efs_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_efs_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the efs port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_efs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_efs_port'($*)) dnl - - gen_require(` - type efs_port_t; - ') - - allow $1 efs_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_efs_port'($*)) dnl - ') - - - -######################################## -## -## Send efs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_efs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_efs_client_packets'($*)) dnl - - gen_require(` - type efs_client_packet_t; - ') - - allow $1 efs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_efs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send efs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_efs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_efs_client_packets'($*)) dnl - - gen_require(` - type efs_client_packet_t; - ') - - dontaudit $1 efs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_efs_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive efs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_efs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_efs_client_packets'($*)) dnl - - gen_require(` - type efs_client_packet_t; - ') - - allow $1 efs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_efs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive efs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_efs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_efs_client_packets'($*)) dnl - - gen_require(` - type efs_client_packet_t; - ') - - dontaudit $1 efs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_efs_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive efs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_efs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_efs_client_packets'($*)) dnl - - corenet_send_efs_client_packets($1) - corenet_receive_efs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_efs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive efs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_efs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_efs_client_packets'($*)) dnl - - corenet_dontaudit_send_efs_client_packets($1) - corenet_dontaudit_receive_efs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_efs_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to efs_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_efs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_efs_client_packets'($*)) dnl - - gen_require(` - type efs_client_packet_t; - ') - - allow $1 efs_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_efs_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send efs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_efs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_efs_server_packets'($*)) dnl - - gen_require(` - type efs_server_packet_t; - ') - - allow $1 efs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_efs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send efs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_efs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_efs_server_packets'($*)) dnl - - gen_require(` - type efs_server_packet_t; - ') - - dontaudit $1 efs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_efs_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive efs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_efs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_efs_server_packets'($*)) dnl - - gen_require(` - type efs_server_packet_t; - ') - - allow $1 efs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_efs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive efs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_efs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_efs_server_packets'($*)) dnl - - gen_require(` - type efs_server_packet_t; - ') - - dontaudit $1 efs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_efs_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive efs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_efs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_efs_server_packets'($*)) dnl - - corenet_send_efs_server_packets($1) - corenet_receive_efs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_efs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive efs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_efs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_efs_server_packets'($*)) dnl - - corenet_dontaudit_send_efs_server_packets($1) - corenet_dontaudit_receive_efs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_efs_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to efs_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_efs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_efs_server_packets'($*)) dnl - - gen_require(` - type efs_server_packet_t; - ') - - allow $1 efs_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_efs_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the embrace_dp_c port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_embrace_dp_c_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the embrace_dp_c port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_embrace_dp_c_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the embrace_dp_c port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_embrace_dp_c_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the embrace_dp_c port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_embrace_dp_c_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the embrace_dp_c port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_embrace_dp_c_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the embrace_dp_c port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_embrace_dp_c_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the embrace_dp_c port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_embrace_dp_c_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the embrace_dp_c port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_embrace_dp_c_port'($*)) dnl - - gen_require(` - type embrace_dp_c_port_t; - ') - - allow $1 embrace_dp_c_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the embrace_dp_c port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_embrace_dp_c_port'($*)) dnl - - gen_require(` - type embrace_dp_c_port_t; - ') - - allow $1 embrace_dp_c_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_embrace_dp_c_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the embrace_dp_c port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_embrace_dp_c_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_embrace_dp_c_port'($*)) dnl - - gen_require(` - type embrace_dp_c_port_t; - ') - - allow $1 embrace_dp_c_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_embrace_dp_c_port'($*)) dnl - ') - - - -######################################## -## -## Send embrace_dp_c_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_embrace_dp_c_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_embrace_dp_c_client_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_client_packet_t; - ') - - allow $1 embrace_dp_c_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_embrace_dp_c_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send embrace_dp_c_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_embrace_dp_c_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_embrace_dp_c_client_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_client_packet_t; - ') - - dontaudit $1 embrace_dp_c_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_embrace_dp_c_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive embrace_dp_c_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_embrace_dp_c_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_embrace_dp_c_client_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_client_packet_t; - ') - - allow $1 embrace_dp_c_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_embrace_dp_c_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive embrace_dp_c_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_embrace_dp_c_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_embrace_dp_c_client_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_client_packet_t; - ') - - dontaudit $1 embrace_dp_c_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_embrace_dp_c_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive embrace_dp_c_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_embrace_dp_c_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_embrace_dp_c_client_packets'($*)) dnl - - corenet_send_embrace_dp_c_client_packets($1) - corenet_receive_embrace_dp_c_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_embrace_dp_c_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive embrace_dp_c_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_embrace_dp_c_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_embrace_dp_c_client_packets'($*)) dnl - - corenet_dontaudit_send_embrace_dp_c_client_packets($1) - corenet_dontaudit_receive_embrace_dp_c_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_embrace_dp_c_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to embrace_dp_c_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_embrace_dp_c_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_embrace_dp_c_client_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_client_packet_t; - ') - - allow $1 embrace_dp_c_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_embrace_dp_c_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send embrace_dp_c_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_embrace_dp_c_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_embrace_dp_c_server_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_server_packet_t; - ') - - allow $1 embrace_dp_c_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_embrace_dp_c_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send embrace_dp_c_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_embrace_dp_c_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_embrace_dp_c_server_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_server_packet_t; - ') - - dontaudit $1 embrace_dp_c_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_embrace_dp_c_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive embrace_dp_c_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_embrace_dp_c_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_embrace_dp_c_server_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_server_packet_t; - ') - - allow $1 embrace_dp_c_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_embrace_dp_c_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive embrace_dp_c_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_embrace_dp_c_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_embrace_dp_c_server_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_server_packet_t; - ') - - dontaudit $1 embrace_dp_c_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_embrace_dp_c_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive embrace_dp_c_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_embrace_dp_c_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_embrace_dp_c_server_packets'($*)) dnl - - corenet_send_embrace_dp_c_server_packets($1) - corenet_receive_embrace_dp_c_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_embrace_dp_c_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive embrace_dp_c_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_embrace_dp_c_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_embrace_dp_c_server_packets'($*)) dnl - - corenet_dontaudit_send_embrace_dp_c_server_packets($1) - corenet_dontaudit_receive_embrace_dp_c_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_embrace_dp_c_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to embrace_dp_c_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_embrace_dp_c_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_embrace_dp_c_server_packets'($*)) dnl - - gen_require(` - type embrace_dp_c_server_packet_t; - ') - - allow $1 embrace_dp_c_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_embrace_dp_c_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the epmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_epmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_epmap_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the epmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_epmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_epmap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the epmap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_epmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_epmap_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the epmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_epmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_epmap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the epmap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_epmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_epmap_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the epmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_epmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_epmap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the epmap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_epmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_epmap_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the epmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_epmap_port'($*)) dnl - - gen_require(` - type epmap_port_t; - ') - - allow $1 epmap_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_epmap_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the epmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_epmap_port'($*)) dnl - - gen_require(` - type epmap_port_t; - ') - - allow $1 epmap_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_epmap_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the epmap port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_epmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_epmap_port'($*)) dnl - - gen_require(` - type epmap_port_t; - ') - - allow $1 epmap_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_epmap_port'($*)) dnl - ') - - - -######################################## -## -## Send epmap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_epmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_epmap_client_packets'($*)) dnl - - gen_require(` - type epmap_client_packet_t; - ') - - allow $1 epmap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_epmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send epmap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_epmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmap_client_packets'($*)) dnl - - gen_require(` - type epmap_client_packet_t; - ') - - dontaudit $1 epmap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive epmap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_epmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_epmap_client_packets'($*)) dnl - - gen_require(` - type epmap_client_packet_t; - ') - - allow $1 epmap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_epmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive epmap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_epmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmap_client_packets'($*)) dnl - - gen_require(` - type epmap_client_packet_t; - ') - - dontaudit $1 epmap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive epmap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_epmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmap_client_packets'($*)) dnl - - corenet_send_epmap_client_packets($1) - corenet_receive_epmap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive epmap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_epmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmap_client_packets'($*)) dnl - - corenet_dontaudit_send_epmap_client_packets($1) - corenet_dontaudit_receive_epmap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to epmap_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_epmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmap_client_packets'($*)) dnl - - gen_require(` - type epmap_client_packet_t; - ') - - allow $1 epmap_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmap_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send epmap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_epmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_epmap_server_packets'($*)) dnl - - gen_require(` - type epmap_server_packet_t; - ') - - allow $1 epmap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_epmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send epmap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_epmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmap_server_packets'($*)) dnl - - gen_require(` - type epmap_server_packet_t; - ') - - dontaudit $1 epmap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive epmap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_epmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_epmap_server_packets'($*)) dnl - - gen_require(` - type epmap_server_packet_t; - ') - - allow $1 epmap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_epmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive epmap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_epmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmap_server_packets'($*)) dnl - - gen_require(` - type epmap_server_packet_t; - ') - - dontaudit $1 epmap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive epmap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_epmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmap_server_packets'($*)) dnl - - corenet_send_epmap_server_packets($1) - corenet_receive_epmap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive epmap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_epmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmap_server_packets'($*)) dnl - - corenet_dontaudit_send_epmap_server_packets($1) - corenet_dontaudit_receive_epmap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to epmap_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_epmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmap_server_packets'($*)) dnl - - gen_require(` - type epmap_server_packet_t; - ') - - allow $1 epmap_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmap_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the epmd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_epmd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_epmd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the epmd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_epmd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_epmd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the epmd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_epmd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_epmd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the epmd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_epmd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_epmd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the epmd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_epmd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_epmd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the epmd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_epmd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_epmd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the epmd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_epmd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_epmd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the epmd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_epmd_port'($*)) dnl - - gen_require(` - type epmd_port_t; - ') - - allow $1 epmd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_epmd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the epmd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_epmd_port'($*)) dnl - - gen_require(` - type epmd_port_t; - ') - - allow $1 epmd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_epmd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the epmd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_epmd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_epmd_port'($*)) dnl - - gen_require(` - type epmd_port_t; - ') - - allow $1 epmd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_epmd_port'($*)) dnl - ') - - - -######################################## -## -## Send epmd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_epmd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_epmd_client_packets'($*)) dnl - - gen_require(` - type epmd_client_packet_t; - ') - - allow $1 epmd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_epmd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send epmd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_epmd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmd_client_packets'($*)) dnl - - gen_require(` - type epmd_client_packet_t; - ') - - dontaudit $1 epmd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive epmd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_epmd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_epmd_client_packets'($*)) dnl - - gen_require(` - type epmd_client_packet_t; - ') - - allow $1 epmd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_epmd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive epmd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_epmd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmd_client_packets'($*)) dnl - - gen_require(` - type epmd_client_packet_t; - ') - - dontaudit $1 epmd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive epmd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_epmd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmd_client_packets'($*)) dnl - - corenet_send_epmd_client_packets($1) - corenet_receive_epmd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive epmd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_epmd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmd_client_packets'($*)) dnl - - corenet_dontaudit_send_epmd_client_packets($1) - corenet_dontaudit_receive_epmd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to epmd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_epmd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmd_client_packets'($*)) dnl - - gen_require(` - type epmd_client_packet_t; - ') - - allow $1 epmd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send epmd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_epmd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_epmd_server_packets'($*)) dnl - - gen_require(` - type epmd_server_packet_t; - ') - - allow $1 epmd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_epmd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send epmd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_epmd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmd_server_packets'($*)) dnl - - gen_require(` - type epmd_server_packet_t; - ') - - dontaudit $1 epmd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive epmd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_epmd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_epmd_server_packets'($*)) dnl - - gen_require(` - type epmd_server_packet_t; - ') - - allow $1 epmd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_epmd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive epmd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_epmd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmd_server_packets'($*)) dnl - - gen_require(` - type epmd_server_packet_t; - ') - - dontaudit $1 epmd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive epmd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_epmd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmd_server_packets'($*)) dnl - - corenet_send_epmd_server_packets($1) - corenet_receive_epmd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive epmd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_epmd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmd_server_packets'($*)) dnl - - corenet_dontaudit_send_epmd_server_packets($1) - corenet_dontaudit_receive_epmd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to epmd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_epmd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmd_server_packets'($*)) dnl - - gen_require(` - type epmd_server_packet_t; - ') - - allow $1 epmd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the fingerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_fingerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the fingerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_fingerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the fingerd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_fingerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the fingerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_fingerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the fingerd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_fingerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the fingerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_fingerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the fingerd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_fingerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the fingerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_fingerd_port'($*)) dnl - - gen_require(` - type fingerd_port_t; - ') - - allow $1 fingerd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the fingerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_fingerd_port'($*)) dnl - - gen_require(` - type fingerd_port_t; - ') - - allow $1 fingerd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_fingerd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the fingerd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_fingerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_fingerd_port'($*)) dnl - - gen_require(` - type fingerd_port_t; - ') - - allow $1 fingerd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_fingerd_port'($*)) dnl - ') - - - -######################################## -## -## Send fingerd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_fingerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_fingerd_client_packets'($*)) dnl - - gen_require(` - type fingerd_client_packet_t; - ') - - allow $1 fingerd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_fingerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send fingerd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_fingerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fingerd_client_packets'($*)) dnl - - gen_require(` - type fingerd_client_packet_t; - ') - - dontaudit $1 fingerd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fingerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive fingerd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_fingerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_fingerd_client_packets'($*)) dnl - - gen_require(` - type fingerd_client_packet_t; - ') - - allow $1 fingerd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_fingerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive fingerd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_fingerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fingerd_client_packets'($*)) dnl - - gen_require(` - type fingerd_client_packet_t; - ') - - dontaudit $1 fingerd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fingerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive fingerd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_fingerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fingerd_client_packets'($*)) dnl - - corenet_send_fingerd_client_packets($1) - corenet_receive_fingerd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fingerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive fingerd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_fingerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fingerd_client_packets'($*)) dnl - - corenet_dontaudit_send_fingerd_client_packets($1) - corenet_dontaudit_receive_fingerd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fingerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to fingerd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_fingerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fingerd_client_packets'($*)) dnl - - gen_require(` - type fingerd_client_packet_t; - ') - - allow $1 fingerd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_fingerd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send fingerd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_fingerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_fingerd_server_packets'($*)) dnl - - gen_require(` - type fingerd_server_packet_t; - ') - - allow $1 fingerd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_fingerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send fingerd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_fingerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fingerd_server_packets'($*)) dnl - - gen_require(` - type fingerd_server_packet_t; - ') - - dontaudit $1 fingerd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fingerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive fingerd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_fingerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_fingerd_server_packets'($*)) dnl - - gen_require(` - type fingerd_server_packet_t; - ') - - allow $1 fingerd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_fingerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive fingerd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_fingerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fingerd_server_packets'($*)) dnl - - gen_require(` - type fingerd_server_packet_t; - ') - - dontaudit $1 fingerd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fingerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive fingerd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_fingerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fingerd_server_packets'($*)) dnl - - corenet_send_fingerd_server_packets($1) - corenet_receive_fingerd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fingerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive fingerd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_fingerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fingerd_server_packets'($*)) dnl - - corenet_dontaudit_send_fingerd_server_packets($1) - corenet_dontaudit_receive_fingerd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fingerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to fingerd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_fingerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fingerd_server_packets'($*)) dnl - - gen_require(` - type fingerd_server_packet_t; - ') - - allow $1 fingerd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_fingerd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ftp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ftp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ftp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ftp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ftp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ftp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ftp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ftp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ftp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ftp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ftp_port'($*)) dnl - - gen_require(` - type ftp_port_t; - ') - - allow $1 ftp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ftp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ftp_port'($*)) dnl - - gen_require(` - type ftp_port_t; - ') - - allow $1 ftp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ftp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ftp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ftp_port'($*)) dnl - - gen_require(` - type ftp_port_t; - ') - - allow $1 ftp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ftp_port'($*)) dnl - ') - - - -######################################## -## -## Send ftp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_client_packets'($*)) dnl - - gen_require(` - type ftp_client_packet_t; - ') - - allow $1 ftp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ftp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_client_packets'($*)) dnl - - gen_require(` - type ftp_client_packet_t; - ') - - dontaudit $1 ftp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ftp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_client_packets'($*)) dnl - - gen_require(` - type ftp_client_packet_t; - ') - - allow $1 ftp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ftp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_client_packets'($*)) dnl - - gen_require(` - type ftp_client_packet_t; - ') - - dontaudit $1 ftp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ftp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_client_packets'($*)) dnl - - corenet_send_ftp_client_packets($1) - corenet_receive_ftp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ftp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_client_packets'($*)) dnl - - corenet_dontaudit_send_ftp_client_packets($1) - corenet_dontaudit_receive_ftp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ftp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_client_packets'($*)) dnl - - gen_require(` - type ftp_client_packet_t; - ') - - allow $1 ftp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ftp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_server_packets'($*)) dnl - - gen_require(` - type ftp_server_packet_t; - ') - - allow $1 ftp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ftp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_server_packets'($*)) dnl - - gen_require(` - type ftp_server_packet_t; - ') - - dontaudit $1 ftp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ftp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_server_packets'($*)) dnl - - gen_require(` - type ftp_server_packet_t; - ') - - allow $1 ftp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ftp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_server_packets'($*)) dnl - - gen_require(` - type ftp_server_packet_t; - ') - - dontaudit $1 ftp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ftp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_server_packets'($*)) dnl - - corenet_send_ftp_server_packets($1) - corenet_receive_ftp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ftp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_server_packets'($*)) dnl - - corenet_dontaudit_send_ftp_server_packets($1) - corenet_dontaudit_receive_ftp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ftp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_server_packets'($*)) dnl - - gen_require(` - type ftp_server_packet_t; - ') - - allow $1 ftp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ftp_data port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ftp_data_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ftp_data port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ftp_data_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ftp_data port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ftp_data_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ftp_data port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ftp_data_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ftp_data port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ftp_data_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ftp_data port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ftp_data_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ftp_data port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ftp_data_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ftp_data port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ftp_data_port'($*)) dnl - - gen_require(` - type ftp_data_port_t; - ') - - allow $1 ftp_data_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ftp_data port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ftp_data_port'($*)) dnl - - gen_require(` - type ftp_data_port_t; - ') - - allow $1 ftp_data_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ftp_data_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ftp_data port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ftp_data_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ftp_data_port'($*)) dnl - - gen_require(` - type ftp_data_port_t; - ') - - allow $1 ftp_data_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ftp_data_port'($*)) dnl - ') - - - -######################################## -## -## Send ftp_data_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ftp_data_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_data_client_packets'($*)) dnl - - gen_require(` - type ftp_data_client_packet_t; - ') - - allow $1 ftp_data_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ftp_data_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ftp_data_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ftp_data_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_data_client_packets'($*)) dnl - - gen_require(` - type ftp_data_client_packet_t; - ') - - dontaudit $1 ftp_data_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_data_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ftp_data_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ftp_data_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_data_client_packets'($*)) dnl - - gen_require(` - type ftp_data_client_packet_t; - ') - - allow $1 ftp_data_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_data_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ftp_data_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ftp_data_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_data_client_packets'($*)) dnl - - gen_require(` - type ftp_data_client_packet_t; - ') - - dontaudit $1 ftp_data_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_data_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ftp_data_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ftp_data_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_data_client_packets'($*)) dnl - - corenet_send_ftp_data_client_packets($1) - corenet_receive_ftp_data_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_data_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ftp_data_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ftp_data_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_data_client_packets'($*)) dnl - - corenet_dontaudit_send_ftp_data_client_packets($1) - corenet_dontaudit_receive_ftp_data_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_data_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ftp_data_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ftp_data_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_data_client_packets'($*)) dnl - - gen_require(` - type ftp_data_client_packet_t; - ') - - allow $1 ftp_data_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_data_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ftp_data_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ftp_data_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_data_server_packets'($*)) dnl - - gen_require(` - type ftp_data_server_packet_t; - ') - - allow $1 ftp_data_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ftp_data_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ftp_data_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ftp_data_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_data_server_packets'($*)) dnl - - gen_require(` - type ftp_data_server_packet_t; - ') - - dontaudit $1 ftp_data_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_data_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ftp_data_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ftp_data_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_data_server_packets'($*)) dnl - - gen_require(` - type ftp_data_server_packet_t; - ') - - allow $1 ftp_data_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_data_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ftp_data_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ftp_data_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_data_server_packets'($*)) dnl - - gen_require(` - type ftp_data_server_packet_t; - ') - - dontaudit $1 ftp_data_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_data_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ftp_data_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ftp_data_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_data_server_packets'($*)) dnl - - corenet_send_ftp_data_server_packets($1) - corenet_receive_ftp_data_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_data_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ftp_data_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ftp_data_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_data_server_packets'($*)) dnl - - corenet_dontaudit_send_ftp_data_server_packets($1) - corenet_dontaudit_receive_ftp_data_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_data_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ftp_data_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ftp_data_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_data_server_packets'($*)) dnl - - gen_require(` - type ftp_data_server_packet_t; - ') - - allow $1 ftp_data_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_data_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the gatekeeper port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gatekeeper_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the gatekeeper port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gatekeeper_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the gatekeeper port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gatekeeper_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the gatekeeper port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gatekeeper_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the gatekeeper port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gatekeeper_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the gatekeeper port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gatekeeper_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the gatekeeper port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gatekeeper_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the gatekeeper port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gatekeeper_port'($*)) dnl - - gen_require(` - type gatekeeper_port_t; - ') - - allow $1 gatekeeper_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the gatekeeper port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gatekeeper_port'($*)) dnl - - gen_require(` - type gatekeeper_port_t; - ') - - allow $1 gatekeeper_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gatekeeper_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the gatekeeper port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_gatekeeper_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gatekeeper_port'($*)) dnl - - gen_require(` - type gatekeeper_port_t; - ') - - allow $1 gatekeeper_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gatekeeper_port'($*)) dnl - ') - - - -######################################## -## -## Send gatekeeper_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gatekeeper_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gatekeeper_client_packets'($*)) dnl - - gen_require(` - type gatekeeper_client_packet_t; - ') - - allow $1 gatekeeper_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gatekeeper_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gatekeeper_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gatekeeper_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gatekeeper_client_packets'($*)) dnl - - gen_require(` - type gatekeeper_client_packet_t; - ') - - dontaudit $1 gatekeeper_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gatekeeper_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive gatekeeper_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gatekeeper_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gatekeeper_client_packets'($*)) dnl - - gen_require(` - type gatekeeper_client_packet_t; - ') - - allow $1 gatekeeper_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gatekeeper_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gatekeeper_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gatekeeper_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gatekeeper_client_packets'($*)) dnl - - gen_require(` - type gatekeeper_client_packet_t; - ') - - dontaudit $1 gatekeeper_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gatekeeper_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gatekeeper_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gatekeeper_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gatekeeper_client_packets'($*)) dnl - - corenet_send_gatekeeper_client_packets($1) - corenet_receive_gatekeeper_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gatekeeper_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gatekeeper_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gatekeeper_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gatekeeper_client_packets'($*)) dnl - - corenet_dontaudit_send_gatekeeper_client_packets($1) - corenet_dontaudit_receive_gatekeeper_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gatekeeper_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gatekeeper_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gatekeeper_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gatekeeper_client_packets'($*)) dnl - - gen_require(` - type gatekeeper_client_packet_t; - ') - - allow $1 gatekeeper_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gatekeeper_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send gatekeeper_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gatekeeper_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gatekeeper_server_packets'($*)) dnl - - gen_require(` - type gatekeeper_server_packet_t; - ') - - allow $1 gatekeeper_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gatekeeper_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gatekeeper_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gatekeeper_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gatekeeper_server_packets'($*)) dnl - - gen_require(` - type gatekeeper_server_packet_t; - ') - - dontaudit $1 gatekeeper_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gatekeeper_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive gatekeeper_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gatekeeper_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gatekeeper_server_packets'($*)) dnl - - gen_require(` - type gatekeeper_server_packet_t; - ') - - allow $1 gatekeeper_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gatekeeper_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gatekeeper_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gatekeeper_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gatekeeper_server_packets'($*)) dnl - - gen_require(` - type gatekeeper_server_packet_t; - ') - - dontaudit $1 gatekeeper_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gatekeeper_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gatekeeper_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gatekeeper_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gatekeeper_server_packets'($*)) dnl - - corenet_send_gatekeeper_server_packets($1) - corenet_receive_gatekeeper_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gatekeeper_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gatekeeper_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gatekeeper_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gatekeeper_server_packets'($*)) dnl - - corenet_dontaudit_send_gatekeeper_server_packets($1) - corenet_dontaudit_receive_gatekeeper_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gatekeeper_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gatekeeper_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gatekeeper_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gatekeeper_server_packets'($*)) dnl - - gen_require(` - type gatekeeper_server_packet_t; - ') - - allow $1 gatekeeper_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gatekeeper_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the gdomap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gdomap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the gdomap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gdomap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the gdomap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gdomap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the gdomap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gdomap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the gdomap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gdomap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the gdomap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gdomap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the gdomap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gdomap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the gdomap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gdomap_port'($*)) dnl - - gen_require(` - type gdomap_port_t; - ') - - allow $1 gdomap_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the gdomap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gdomap_port'($*)) dnl - - gen_require(` - type gdomap_port_t; - ') - - allow $1 gdomap_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gdomap_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the gdomap port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_gdomap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gdomap_port'($*)) dnl - - gen_require(` - type gdomap_port_t; - ') - - allow $1 gdomap_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gdomap_port'($*)) dnl - ') - - - -######################################## -## -## Send gdomap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gdomap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gdomap_client_packets'($*)) dnl - - gen_require(` - type gdomap_client_packet_t; - ') - - allow $1 gdomap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gdomap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gdomap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gdomap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gdomap_client_packets'($*)) dnl - - gen_require(` - type gdomap_client_packet_t; - ') - - dontaudit $1 gdomap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gdomap_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive gdomap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gdomap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gdomap_client_packets'($*)) dnl - - gen_require(` - type gdomap_client_packet_t; - ') - - allow $1 gdomap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gdomap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gdomap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gdomap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gdomap_client_packets'($*)) dnl - - gen_require(` - type gdomap_client_packet_t; - ') - - dontaudit $1 gdomap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gdomap_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gdomap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gdomap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gdomap_client_packets'($*)) dnl - - corenet_send_gdomap_client_packets($1) - corenet_receive_gdomap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gdomap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gdomap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gdomap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gdomap_client_packets'($*)) dnl - - corenet_dontaudit_send_gdomap_client_packets($1) - corenet_dontaudit_receive_gdomap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gdomap_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gdomap_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gdomap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gdomap_client_packets'($*)) dnl - - gen_require(` - type gdomap_client_packet_t; - ') - - allow $1 gdomap_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gdomap_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send gdomap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gdomap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gdomap_server_packets'($*)) dnl - - gen_require(` - type gdomap_server_packet_t; - ') - - allow $1 gdomap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gdomap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gdomap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gdomap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gdomap_server_packets'($*)) dnl - - gen_require(` - type gdomap_server_packet_t; - ') - - dontaudit $1 gdomap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gdomap_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive gdomap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gdomap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gdomap_server_packets'($*)) dnl - - gen_require(` - type gdomap_server_packet_t; - ') - - allow $1 gdomap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gdomap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gdomap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gdomap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gdomap_server_packets'($*)) dnl - - gen_require(` - type gdomap_server_packet_t; - ') - - dontaudit $1 gdomap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gdomap_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gdomap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gdomap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gdomap_server_packets'($*)) dnl - - corenet_send_gdomap_server_packets($1) - corenet_receive_gdomap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gdomap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gdomap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gdomap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gdomap_server_packets'($*)) dnl - - corenet_dontaudit_send_gdomap_server_packets($1) - corenet_dontaudit_receive_gdomap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gdomap_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gdomap_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gdomap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gdomap_server_packets'($*)) dnl - - gen_require(` - type gdomap_server_packet_t; - ') - - allow $1 gdomap_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gdomap_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the gds_db port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gds_db_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the gds_db port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gds_db_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the gds_db port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gds_db_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the gds_db port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gds_db_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the gds_db port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gds_db_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the gds_db port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gds_db_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the gds_db port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gds_db_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the gds_db port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gds_db_port'($*)) dnl - - gen_require(` - type gds_db_port_t; - ') - - allow $1 gds_db_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the gds_db port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gds_db_port'($*)) dnl - - gen_require(` - type gds_db_port_t; - ') - - allow $1 gds_db_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gds_db_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the gds_db port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_gds_db_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gds_db_port'($*)) dnl - - gen_require(` - type gds_db_port_t; - ') - - allow $1 gds_db_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gds_db_port'($*)) dnl - ') - - - -######################################## -## -## Send gds_db_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gds_db_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gds_db_client_packets'($*)) dnl - - gen_require(` - type gds_db_client_packet_t; - ') - - allow $1 gds_db_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gds_db_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gds_db_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gds_db_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gds_db_client_packets'($*)) dnl - - gen_require(` - type gds_db_client_packet_t; - ') - - dontaudit $1 gds_db_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gds_db_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive gds_db_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gds_db_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gds_db_client_packets'($*)) dnl - - gen_require(` - type gds_db_client_packet_t; - ') - - allow $1 gds_db_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gds_db_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gds_db_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gds_db_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gds_db_client_packets'($*)) dnl - - gen_require(` - type gds_db_client_packet_t; - ') - - dontaudit $1 gds_db_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gds_db_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gds_db_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gds_db_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gds_db_client_packets'($*)) dnl - - corenet_send_gds_db_client_packets($1) - corenet_receive_gds_db_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gds_db_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gds_db_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gds_db_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gds_db_client_packets'($*)) dnl - - corenet_dontaudit_send_gds_db_client_packets($1) - corenet_dontaudit_receive_gds_db_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gds_db_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gds_db_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gds_db_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gds_db_client_packets'($*)) dnl - - gen_require(` - type gds_db_client_packet_t; - ') - - allow $1 gds_db_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gds_db_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send gds_db_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gds_db_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gds_db_server_packets'($*)) dnl - - gen_require(` - type gds_db_server_packet_t; - ') - - allow $1 gds_db_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gds_db_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gds_db_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gds_db_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gds_db_server_packets'($*)) dnl - - gen_require(` - type gds_db_server_packet_t; - ') - - dontaudit $1 gds_db_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gds_db_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive gds_db_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gds_db_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gds_db_server_packets'($*)) dnl - - gen_require(` - type gds_db_server_packet_t; - ') - - allow $1 gds_db_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gds_db_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gds_db_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gds_db_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gds_db_server_packets'($*)) dnl - - gen_require(` - type gds_db_server_packet_t; - ') - - dontaudit $1 gds_db_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gds_db_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gds_db_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gds_db_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gds_db_server_packets'($*)) dnl - - corenet_send_gds_db_server_packets($1) - corenet_receive_gds_db_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gds_db_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gds_db_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gds_db_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gds_db_server_packets'($*)) dnl - - corenet_dontaudit_send_gds_db_server_packets($1) - corenet_dontaudit_receive_gds_db_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gds_db_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gds_db_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gds_db_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gds_db_server_packets'($*)) dnl - - gen_require(` - type gds_db_server_packet_t; - ') - - allow $1 gds_db_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gds_db_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the giftd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_giftd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_giftd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the giftd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_giftd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_giftd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the giftd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_giftd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_giftd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the giftd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_giftd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_giftd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the giftd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_giftd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_giftd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the giftd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_giftd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_giftd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the giftd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_giftd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_giftd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the giftd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_giftd_port'($*)) dnl - - gen_require(` - type giftd_port_t; - ') - - allow $1 giftd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_giftd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the giftd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_giftd_port'($*)) dnl - - gen_require(` - type giftd_port_t; - ') - - allow $1 giftd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_giftd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the giftd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_giftd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_giftd_port'($*)) dnl - - gen_require(` - type giftd_port_t; - ') - - allow $1 giftd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_giftd_port'($*)) dnl - ') - - - -######################################## -## -## Send giftd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_giftd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_giftd_client_packets'($*)) dnl - - gen_require(` - type giftd_client_packet_t; - ') - - allow $1 giftd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_giftd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send giftd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_giftd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_giftd_client_packets'($*)) dnl - - gen_require(` - type giftd_client_packet_t; - ') - - dontaudit $1 giftd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_giftd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive giftd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_giftd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_giftd_client_packets'($*)) dnl - - gen_require(` - type giftd_client_packet_t; - ') - - allow $1 giftd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_giftd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive giftd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_giftd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_giftd_client_packets'($*)) dnl - - gen_require(` - type giftd_client_packet_t; - ') - - dontaudit $1 giftd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_giftd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive giftd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_giftd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_giftd_client_packets'($*)) dnl - - corenet_send_giftd_client_packets($1) - corenet_receive_giftd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_giftd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive giftd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_giftd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_giftd_client_packets'($*)) dnl - - corenet_dontaudit_send_giftd_client_packets($1) - corenet_dontaudit_receive_giftd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_giftd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to giftd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_giftd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_giftd_client_packets'($*)) dnl - - gen_require(` - type giftd_client_packet_t; - ') - - allow $1 giftd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_giftd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send giftd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_giftd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_giftd_server_packets'($*)) dnl - - gen_require(` - type giftd_server_packet_t; - ') - - allow $1 giftd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_giftd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send giftd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_giftd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_giftd_server_packets'($*)) dnl - - gen_require(` - type giftd_server_packet_t; - ') - - dontaudit $1 giftd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_giftd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive giftd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_giftd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_giftd_server_packets'($*)) dnl - - gen_require(` - type giftd_server_packet_t; - ') - - allow $1 giftd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_giftd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive giftd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_giftd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_giftd_server_packets'($*)) dnl - - gen_require(` - type giftd_server_packet_t; - ') - - dontaudit $1 giftd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_giftd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive giftd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_giftd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_giftd_server_packets'($*)) dnl - - corenet_send_giftd_server_packets($1) - corenet_receive_giftd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_giftd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive giftd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_giftd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_giftd_server_packets'($*)) dnl - - corenet_dontaudit_send_giftd_server_packets($1) - corenet_dontaudit_receive_giftd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_giftd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to giftd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_giftd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_giftd_server_packets'($*)) dnl - - gen_require(` - type giftd_server_packet_t; - ') - - allow $1 giftd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_giftd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the git port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_git_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_git_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the git port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_git_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_git_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the git port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_git_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_git_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the git port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_git_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_git_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the git port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_git_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_git_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the git port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_git_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_git_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the git port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_git_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_git_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the git port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_git_port'($*)) dnl - - gen_require(` - type git_port_t; - ') - - allow $1 git_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_git_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the git port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_git_port'($*)) dnl - - gen_require(` - type git_port_t; - ') - - allow $1 git_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_git_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the git port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_git_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_git_port'($*)) dnl - - gen_require(` - type git_port_t; - ') - - allow $1 git_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_git_port'($*)) dnl - ') - - - -######################################## -## -## Send git_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_git_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_git_client_packets'($*)) dnl - - gen_require(` - type git_client_packet_t; - ') - - allow $1 git_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_git_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send git_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_git_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_git_client_packets'($*)) dnl - - gen_require(` - type git_client_packet_t; - ') - - dontaudit $1 git_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_git_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive git_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_git_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_git_client_packets'($*)) dnl - - gen_require(` - type git_client_packet_t; - ') - - allow $1 git_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_git_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive git_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_git_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_git_client_packets'($*)) dnl - - gen_require(` - type git_client_packet_t; - ') - - dontaudit $1 git_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_git_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive git_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_git_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_git_client_packets'($*)) dnl - - corenet_send_git_client_packets($1) - corenet_receive_git_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_git_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive git_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_git_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_git_client_packets'($*)) dnl - - corenet_dontaudit_send_git_client_packets($1) - corenet_dontaudit_receive_git_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_git_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to git_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_git_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_git_client_packets'($*)) dnl - - gen_require(` - type git_client_packet_t; - ') - - allow $1 git_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_git_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send git_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_git_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_git_server_packets'($*)) dnl - - gen_require(` - type git_server_packet_t; - ') - - allow $1 git_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_git_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send git_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_git_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_git_server_packets'($*)) dnl - - gen_require(` - type git_server_packet_t; - ') - - dontaudit $1 git_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_git_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive git_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_git_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_git_server_packets'($*)) dnl - - gen_require(` - type git_server_packet_t; - ') - - allow $1 git_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_git_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive git_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_git_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_git_server_packets'($*)) dnl - - gen_require(` - type git_server_packet_t; - ') - - dontaudit $1 git_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_git_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive git_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_git_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_git_server_packets'($*)) dnl - - corenet_send_git_server_packets($1) - corenet_receive_git_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_git_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive git_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_git_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_git_server_packets'($*)) dnl - - corenet_dontaudit_send_git_server_packets($1) - corenet_dontaudit_receive_git_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_git_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to git_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_git_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_git_server_packets'($*)) dnl - - gen_require(` - type git_server_packet_t; - ') - - allow $1 git_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_git_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the glance_registry port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_glance_registry_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the glance_registry port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_glance_registry_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the glance_registry port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_glance_registry_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the glance_registry port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_glance_registry_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the glance_registry port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_glance_registry_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the glance_registry port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_glance_registry_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the glance_registry port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_glance_registry_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the glance_registry port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_glance_registry_port'($*)) dnl - - gen_require(` - type glance_registry_port_t; - ') - - allow $1 glance_registry_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the glance_registry port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_glance_registry_port'($*)) dnl - - gen_require(` - type glance_registry_port_t; - ') - - allow $1 glance_registry_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_glance_registry_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the glance_registry port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_glance_registry_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_glance_registry_port'($*)) dnl - - gen_require(` - type glance_registry_port_t; - ') - - allow $1 glance_registry_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_glance_registry_port'($*)) dnl - ') - - - -######################################## -## -## Send glance_registry_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_glance_registry_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_glance_registry_client_packets'($*)) dnl - - gen_require(` - type glance_registry_client_packet_t; - ') - - allow $1 glance_registry_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_glance_registry_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send glance_registry_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_glance_registry_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_registry_client_packets'($*)) dnl - - gen_require(` - type glance_registry_client_packet_t; - ') - - dontaudit $1 glance_registry_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_registry_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive glance_registry_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_glance_registry_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_registry_client_packets'($*)) dnl - - gen_require(` - type glance_registry_client_packet_t; - ') - - allow $1 glance_registry_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_glance_registry_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive glance_registry_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_glance_registry_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_registry_client_packets'($*)) dnl - - gen_require(` - type glance_registry_client_packet_t; - ') - - dontaudit $1 glance_registry_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_registry_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive glance_registry_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_glance_registry_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_registry_client_packets'($*)) dnl - - corenet_send_glance_registry_client_packets($1) - corenet_receive_glance_registry_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_registry_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive glance_registry_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_glance_registry_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_registry_client_packets'($*)) dnl - - corenet_dontaudit_send_glance_registry_client_packets($1) - corenet_dontaudit_receive_glance_registry_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_registry_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to glance_registry_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_glance_registry_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_registry_client_packets'($*)) dnl - - gen_require(` - type glance_registry_client_packet_t; - ') - - allow $1 glance_registry_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_registry_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send glance_registry_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_glance_registry_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_glance_registry_server_packets'($*)) dnl - - gen_require(` - type glance_registry_server_packet_t; - ') - - allow $1 glance_registry_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_glance_registry_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send glance_registry_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_glance_registry_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_registry_server_packets'($*)) dnl - - gen_require(` - type glance_registry_server_packet_t; - ') - - dontaudit $1 glance_registry_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_registry_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive glance_registry_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_glance_registry_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_registry_server_packets'($*)) dnl - - gen_require(` - type glance_registry_server_packet_t; - ') - - allow $1 glance_registry_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_glance_registry_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive glance_registry_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_glance_registry_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_registry_server_packets'($*)) dnl - - gen_require(` - type glance_registry_server_packet_t; - ') - - dontaudit $1 glance_registry_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_registry_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive glance_registry_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_glance_registry_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_registry_server_packets'($*)) dnl - - corenet_send_glance_registry_server_packets($1) - corenet_receive_glance_registry_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_registry_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive glance_registry_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_glance_registry_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_registry_server_packets'($*)) dnl - - corenet_dontaudit_send_glance_registry_server_packets($1) - corenet_dontaudit_receive_glance_registry_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_registry_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to glance_registry_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_glance_registry_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_registry_server_packets'($*)) dnl - - gen_require(` - type glance_registry_server_packet_t; - ') - - allow $1 glance_registry_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_registry_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the gopher port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gopher_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gopher_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the gopher port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gopher_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_gopher_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the gopher port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gopher_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gopher_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the gopher port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gopher_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gopher_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the gopher port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gopher_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gopher_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the gopher port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gopher_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gopher_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the gopher port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gopher_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gopher_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the gopher port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gopher_port'($*)) dnl - - gen_require(` - type gopher_port_t; - ') - - allow $1 gopher_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gopher_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the gopher port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gopher_port'($*)) dnl - - gen_require(` - type gopher_port_t; - ') - - allow $1 gopher_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gopher_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the gopher port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_gopher_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gopher_port'($*)) dnl - - gen_require(` - type gopher_port_t; - ') - - allow $1 gopher_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gopher_port'($*)) dnl - ') - - - -######################################## -## -## Send gopher_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gopher_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gopher_client_packets'($*)) dnl - - gen_require(` - type gopher_client_packet_t; - ') - - allow $1 gopher_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gopher_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gopher_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gopher_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gopher_client_packets'($*)) dnl - - gen_require(` - type gopher_client_packet_t; - ') - - dontaudit $1 gopher_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gopher_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive gopher_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gopher_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gopher_client_packets'($*)) dnl - - gen_require(` - type gopher_client_packet_t; - ') - - allow $1 gopher_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gopher_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gopher_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gopher_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gopher_client_packets'($*)) dnl - - gen_require(` - type gopher_client_packet_t; - ') - - dontaudit $1 gopher_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gopher_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gopher_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gopher_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gopher_client_packets'($*)) dnl - - corenet_send_gopher_client_packets($1) - corenet_receive_gopher_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gopher_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gopher_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gopher_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gopher_client_packets'($*)) dnl - - corenet_dontaudit_send_gopher_client_packets($1) - corenet_dontaudit_receive_gopher_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gopher_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gopher_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gopher_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gopher_client_packets'($*)) dnl - - gen_require(` - type gopher_client_packet_t; - ') - - allow $1 gopher_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gopher_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send gopher_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gopher_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gopher_server_packets'($*)) dnl - - gen_require(` - type gopher_server_packet_t; - ') - - allow $1 gopher_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gopher_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gopher_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gopher_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gopher_server_packets'($*)) dnl - - gen_require(` - type gopher_server_packet_t; - ') - - dontaudit $1 gopher_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gopher_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive gopher_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gopher_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gopher_server_packets'($*)) dnl - - gen_require(` - type gopher_server_packet_t; - ') - - allow $1 gopher_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gopher_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gopher_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gopher_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gopher_server_packets'($*)) dnl - - gen_require(` - type gopher_server_packet_t; - ') - - dontaudit $1 gopher_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gopher_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gopher_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gopher_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gopher_server_packets'($*)) dnl - - corenet_send_gopher_server_packets($1) - corenet_receive_gopher_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gopher_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gopher_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gopher_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gopher_server_packets'($*)) dnl - - corenet_dontaudit_send_gopher_server_packets($1) - corenet_dontaudit_receive_gopher_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gopher_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gopher_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gopher_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gopher_server_packets'($*)) dnl - - gen_require(` - type gopher_server_packet_t; - ') - - allow $1 gopher_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gopher_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the gpsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gpsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the gpsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gpsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the gpsd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gpsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the gpsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gpsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the gpsd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gpsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the gpsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gpsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the gpsd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gpsd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the gpsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gpsd_port'($*)) dnl - - gen_require(` - type gpsd_port_t; - ') - - allow $1 gpsd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the gpsd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gpsd_port'($*)) dnl - - gen_require(` - type gpsd_port_t; - ') - - allow $1 gpsd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gpsd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the gpsd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_gpsd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gpsd_port'($*)) dnl - - gen_require(` - type gpsd_port_t; - ') - - allow $1 gpsd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gpsd_port'($*)) dnl - ') - - - -######################################## -## -## Send gpsd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gpsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gpsd_client_packets'($*)) dnl - - gen_require(` - type gpsd_client_packet_t; - ') - - allow $1 gpsd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gpsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gpsd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gpsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gpsd_client_packets'($*)) dnl - - gen_require(` - type gpsd_client_packet_t; - ') - - dontaudit $1 gpsd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gpsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive gpsd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gpsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gpsd_client_packets'($*)) dnl - - gen_require(` - type gpsd_client_packet_t; - ') - - allow $1 gpsd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gpsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gpsd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gpsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gpsd_client_packets'($*)) dnl - - gen_require(` - type gpsd_client_packet_t; - ') - - dontaudit $1 gpsd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gpsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gpsd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gpsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gpsd_client_packets'($*)) dnl - - corenet_send_gpsd_client_packets($1) - corenet_receive_gpsd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gpsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gpsd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gpsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gpsd_client_packets'($*)) dnl - - corenet_dontaudit_send_gpsd_client_packets($1) - corenet_dontaudit_receive_gpsd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gpsd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gpsd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gpsd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gpsd_client_packets'($*)) dnl - - gen_require(` - type gpsd_client_packet_t; - ') - - allow $1 gpsd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gpsd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send gpsd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_gpsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_gpsd_server_packets'($*)) dnl - - gen_require(` - type gpsd_server_packet_t; - ') - - allow $1 gpsd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_gpsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send gpsd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_gpsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gpsd_server_packets'($*)) dnl - - gen_require(` - type gpsd_server_packet_t; - ') - - dontaudit $1 gpsd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gpsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive gpsd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_gpsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_gpsd_server_packets'($*)) dnl - - gen_require(` - type gpsd_server_packet_t; - ') - - allow $1 gpsd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_gpsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive gpsd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_gpsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gpsd_server_packets'($*)) dnl - - gen_require(` - type gpsd_server_packet_t; - ') - - dontaudit $1 gpsd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gpsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive gpsd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_gpsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gpsd_server_packets'($*)) dnl - - corenet_send_gpsd_server_packets($1) - corenet_receive_gpsd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gpsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive gpsd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_gpsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gpsd_server_packets'($*)) dnl - - corenet_dontaudit_send_gpsd_server_packets($1) - corenet_dontaudit_receive_gpsd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gpsd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to gpsd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_gpsd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gpsd_server_packets'($*)) dnl - - gen_require(` - type gpsd_server_packet_t; - ') - - allow $1 gpsd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_gpsd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the hadoop_datanode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hadoop_datanode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the hadoop_datanode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hadoop_datanode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the hadoop_datanode port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hadoop_datanode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the hadoop_datanode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hadoop_datanode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the hadoop_datanode port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hadoop_datanode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the hadoop_datanode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hadoop_datanode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the hadoop_datanode port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hadoop_datanode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the hadoop_datanode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hadoop_datanode_port'($*)) dnl - - gen_require(` - type hadoop_datanode_port_t; - ') - - allow $1 hadoop_datanode_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the hadoop_datanode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hadoop_datanode_port'($*)) dnl - - gen_require(` - type hadoop_datanode_port_t; - ') - - allow $1 hadoop_datanode_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hadoop_datanode_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the hadoop_datanode port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_hadoop_datanode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hadoop_datanode_port'($*)) dnl - - gen_require(` - type hadoop_datanode_port_t; - ') - - allow $1 hadoop_datanode_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hadoop_datanode_port'($*)) dnl - ') - - - -######################################## -## -## Send hadoop_datanode_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_hadoop_datanode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_datanode_client_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_client_packet_t; - ') - - allow $1 hadoop_datanode_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_datanode_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send hadoop_datanode_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_hadoop_datanode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_datanode_client_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_client_packet_t; - ') - - dontaudit $1 hadoop_datanode_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_datanode_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive hadoop_datanode_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_hadoop_datanode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_datanode_client_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_client_packet_t; - ') - - allow $1 hadoop_datanode_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_datanode_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive hadoop_datanode_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_hadoop_datanode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_datanode_client_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_client_packet_t; - ') - - dontaudit $1 hadoop_datanode_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_datanode_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive hadoop_datanode_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_hadoop_datanode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_datanode_client_packets'($*)) dnl - - corenet_send_hadoop_datanode_client_packets($1) - corenet_receive_hadoop_datanode_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_datanode_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive hadoop_datanode_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_hadoop_datanode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_datanode_client_packets'($*)) dnl - - corenet_dontaudit_send_hadoop_datanode_client_packets($1) - corenet_dontaudit_receive_hadoop_datanode_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_datanode_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to hadoop_datanode_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_hadoop_datanode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_datanode_client_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_client_packet_t; - ') - - allow $1 hadoop_datanode_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_datanode_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send hadoop_datanode_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_hadoop_datanode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_datanode_server_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_server_packet_t; - ') - - allow $1 hadoop_datanode_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_datanode_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send hadoop_datanode_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_hadoop_datanode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_datanode_server_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_server_packet_t; - ') - - dontaudit $1 hadoop_datanode_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_datanode_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive hadoop_datanode_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_hadoop_datanode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_datanode_server_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_server_packet_t; - ') - - allow $1 hadoop_datanode_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_datanode_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive hadoop_datanode_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_hadoop_datanode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_datanode_server_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_server_packet_t; - ') - - dontaudit $1 hadoop_datanode_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_datanode_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive hadoop_datanode_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_hadoop_datanode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_datanode_server_packets'($*)) dnl - - corenet_send_hadoop_datanode_server_packets($1) - corenet_receive_hadoop_datanode_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_datanode_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive hadoop_datanode_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_hadoop_datanode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_datanode_server_packets'($*)) dnl - - corenet_dontaudit_send_hadoop_datanode_server_packets($1) - corenet_dontaudit_receive_hadoop_datanode_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_datanode_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to hadoop_datanode_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_hadoop_datanode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_datanode_server_packets'($*)) dnl - - gen_require(` - type hadoop_datanode_server_packet_t; - ') - - allow $1 hadoop_datanode_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_datanode_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the hadoop_namenode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hadoop_namenode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the hadoop_namenode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hadoop_namenode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the hadoop_namenode port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hadoop_namenode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the hadoop_namenode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hadoop_namenode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the hadoop_namenode port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hadoop_namenode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the hadoop_namenode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hadoop_namenode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the hadoop_namenode port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hadoop_namenode_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the hadoop_namenode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hadoop_namenode_port'($*)) dnl - - gen_require(` - type hadoop_namenode_port_t; - ') - - allow $1 hadoop_namenode_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the hadoop_namenode port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hadoop_namenode_port'($*)) dnl - - gen_require(` - type hadoop_namenode_port_t; - ') - - allow $1 hadoop_namenode_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hadoop_namenode_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the hadoop_namenode port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_hadoop_namenode_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hadoop_namenode_port'($*)) dnl - - gen_require(` - type hadoop_namenode_port_t; - ') - - allow $1 hadoop_namenode_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hadoop_namenode_port'($*)) dnl - ') - - - -######################################## -## -## Send hadoop_namenode_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_hadoop_namenode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_namenode_client_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_client_packet_t; - ') - - allow $1 hadoop_namenode_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_namenode_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send hadoop_namenode_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_hadoop_namenode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_namenode_client_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_client_packet_t; - ') - - dontaudit $1 hadoop_namenode_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_namenode_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive hadoop_namenode_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_hadoop_namenode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_namenode_client_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_client_packet_t; - ') - - allow $1 hadoop_namenode_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_namenode_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive hadoop_namenode_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_hadoop_namenode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_namenode_client_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_client_packet_t; - ') - - dontaudit $1 hadoop_namenode_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_namenode_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive hadoop_namenode_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_hadoop_namenode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_namenode_client_packets'($*)) dnl - - corenet_send_hadoop_namenode_client_packets($1) - corenet_receive_hadoop_namenode_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_namenode_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive hadoop_namenode_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_hadoop_namenode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_namenode_client_packets'($*)) dnl - - corenet_dontaudit_send_hadoop_namenode_client_packets($1) - corenet_dontaudit_receive_hadoop_namenode_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_namenode_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to hadoop_namenode_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_hadoop_namenode_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_namenode_client_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_client_packet_t; - ') - - allow $1 hadoop_namenode_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_namenode_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send hadoop_namenode_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_hadoop_namenode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_namenode_server_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_server_packet_t; - ') - - allow $1 hadoop_namenode_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_namenode_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send hadoop_namenode_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_hadoop_namenode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_namenode_server_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_server_packet_t; - ') - - dontaudit $1 hadoop_namenode_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_namenode_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive hadoop_namenode_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_hadoop_namenode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_namenode_server_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_server_packet_t; - ') - - allow $1 hadoop_namenode_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_namenode_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive hadoop_namenode_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_hadoop_namenode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_namenode_server_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_server_packet_t; - ') - - dontaudit $1 hadoop_namenode_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_namenode_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive hadoop_namenode_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_hadoop_namenode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_namenode_server_packets'($*)) dnl - - corenet_send_hadoop_namenode_server_packets($1) - corenet_receive_hadoop_namenode_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_namenode_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive hadoop_namenode_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_hadoop_namenode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_namenode_server_packets'($*)) dnl - - corenet_dontaudit_send_hadoop_namenode_server_packets($1) - corenet_dontaudit_receive_hadoop_namenode_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_namenode_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to hadoop_namenode_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_hadoop_namenode_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_namenode_server_packets'($*)) dnl - - gen_require(` - type hadoop_namenode_server_packet_t; - ') - - allow $1 hadoop_namenode_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_namenode_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the hddtemp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hddtemp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the hddtemp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hddtemp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the hddtemp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hddtemp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the hddtemp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hddtemp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the hddtemp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hddtemp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the hddtemp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hddtemp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the hddtemp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hddtemp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the hddtemp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hddtemp_port'($*)) dnl - - gen_require(` - type hddtemp_port_t; - ') - - allow $1 hddtemp_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the hddtemp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hddtemp_port'($*)) dnl - - gen_require(` - type hddtemp_port_t; - ') - - allow $1 hddtemp_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hddtemp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the hddtemp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_hddtemp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hddtemp_port'($*)) dnl - - gen_require(` - type hddtemp_port_t; - ') - - allow $1 hddtemp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hddtemp_port'($*)) dnl - ') - - - -######################################## -## -## Send hddtemp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_hddtemp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_hddtemp_client_packets'($*)) dnl - - gen_require(` - type hddtemp_client_packet_t; - ') - - allow $1 hddtemp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_hddtemp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send hddtemp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_hddtemp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hddtemp_client_packets'($*)) dnl - - gen_require(` - type hddtemp_client_packet_t; - ') - - dontaudit $1 hddtemp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hddtemp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive hddtemp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_hddtemp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_hddtemp_client_packets'($*)) dnl - - gen_require(` - type hddtemp_client_packet_t; - ') - - allow $1 hddtemp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_hddtemp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive hddtemp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_hddtemp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hddtemp_client_packets'($*)) dnl - - gen_require(` - type hddtemp_client_packet_t; - ') - - dontaudit $1 hddtemp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hddtemp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive hddtemp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_hddtemp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hddtemp_client_packets'($*)) dnl - - corenet_send_hddtemp_client_packets($1) - corenet_receive_hddtemp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hddtemp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive hddtemp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_hddtemp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hddtemp_client_packets'($*)) dnl - - corenet_dontaudit_send_hddtemp_client_packets($1) - corenet_dontaudit_receive_hddtemp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hddtemp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to hddtemp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_hddtemp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hddtemp_client_packets'($*)) dnl - - gen_require(` - type hddtemp_client_packet_t; - ') - - allow $1 hddtemp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_hddtemp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send hddtemp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_hddtemp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_hddtemp_server_packets'($*)) dnl - - gen_require(` - type hddtemp_server_packet_t; - ') - - allow $1 hddtemp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_hddtemp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send hddtemp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_hddtemp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hddtemp_server_packets'($*)) dnl - - gen_require(` - type hddtemp_server_packet_t; - ') - - dontaudit $1 hddtemp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hddtemp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive hddtemp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_hddtemp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_hddtemp_server_packets'($*)) dnl - - gen_require(` - type hddtemp_server_packet_t; - ') - - allow $1 hddtemp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_hddtemp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive hddtemp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_hddtemp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hddtemp_server_packets'($*)) dnl - - gen_require(` - type hddtemp_server_packet_t; - ') - - dontaudit $1 hddtemp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hddtemp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive hddtemp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_hddtemp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hddtemp_server_packets'($*)) dnl - - corenet_send_hddtemp_server_packets($1) - corenet_receive_hddtemp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hddtemp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive hddtemp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_hddtemp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hddtemp_server_packets'($*)) dnl - - corenet_dontaudit_send_hddtemp_server_packets($1) - corenet_dontaudit_receive_hddtemp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hddtemp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to hddtemp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_hddtemp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hddtemp_server_packets'($*)) dnl - - gen_require(` - type hddtemp_server_packet_t; - ') - - allow $1 hddtemp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_hddtemp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the howl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_howl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_howl_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the howl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_howl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_howl_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the howl port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_howl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_howl_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the howl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_howl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_howl_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the howl port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_howl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_howl_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the howl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_howl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_howl_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the howl port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_howl_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_howl_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the howl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_howl_port'($*)) dnl - - gen_require(` - type howl_port_t; - ') - - allow $1 howl_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_howl_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the howl port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_howl_port'($*)) dnl - - gen_require(` - type howl_port_t; - ') - - allow $1 howl_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_howl_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the howl port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_howl_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_howl_port'($*)) dnl - - gen_require(` - type howl_port_t; - ') - - allow $1 howl_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_howl_port'($*)) dnl - ') - - - -######################################## -## -## Send howl_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_howl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_howl_client_packets'($*)) dnl - - gen_require(` - type howl_client_packet_t; - ') - - allow $1 howl_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_howl_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send howl_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_howl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_howl_client_packets'($*)) dnl - - gen_require(` - type howl_client_packet_t; - ') - - dontaudit $1 howl_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_howl_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive howl_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_howl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_howl_client_packets'($*)) dnl - - gen_require(` - type howl_client_packet_t; - ') - - allow $1 howl_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_howl_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive howl_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_howl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_howl_client_packets'($*)) dnl - - gen_require(` - type howl_client_packet_t; - ') - - dontaudit $1 howl_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_howl_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive howl_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_howl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_howl_client_packets'($*)) dnl - - corenet_send_howl_client_packets($1) - corenet_receive_howl_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_howl_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive howl_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_howl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_howl_client_packets'($*)) dnl - - corenet_dontaudit_send_howl_client_packets($1) - corenet_dontaudit_receive_howl_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_howl_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to howl_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_howl_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_howl_client_packets'($*)) dnl - - gen_require(` - type howl_client_packet_t; - ') - - allow $1 howl_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_howl_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send howl_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_howl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_howl_server_packets'($*)) dnl - - gen_require(` - type howl_server_packet_t; - ') - - allow $1 howl_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_howl_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send howl_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_howl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_howl_server_packets'($*)) dnl - - gen_require(` - type howl_server_packet_t; - ') - - dontaudit $1 howl_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_howl_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive howl_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_howl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_howl_server_packets'($*)) dnl - - gen_require(` - type howl_server_packet_t; - ') - - allow $1 howl_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_howl_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive howl_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_howl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_howl_server_packets'($*)) dnl - - gen_require(` - type howl_server_packet_t; - ') - - dontaudit $1 howl_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_howl_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive howl_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_howl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_howl_server_packets'($*)) dnl - - corenet_send_howl_server_packets($1) - corenet_receive_howl_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_howl_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive howl_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_howl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_howl_server_packets'($*)) dnl - - corenet_dontaudit_send_howl_server_packets($1) - corenet_dontaudit_receive_howl_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_howl_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to howl_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_howl_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_howl_server_packets'($*)) dnl - - gen_require(` - type howl_server_packet_t; - ') - - allow $1 howl_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_howl_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the hplip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hplip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hplip_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the hplip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hplip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_hplip_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the hplip port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hplip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hplip_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the hplip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hplip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hplip_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the hplip port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hplip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hplip_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the hplip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hplip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hplip_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the hplip port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hplip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hplip_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the hplip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hplip_port'($*)) dnl - - gen_require(` - type hplip_port_t; - ') - - allow $1 hplip_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hplip_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the hplip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hplip_port'($*)) dnl - - gen_require(` - type hplip_port_t; - ') - - allow $1 hplip_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hplip_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the hplip port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_hplip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hplip_port'($*)) dnl - - gen_require(` - type hplip_port_t; - ') - - allow $1 hplip_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hplip_port'($*)) dnl - ') - - - -######################################## -## -## Send hplip_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_hplip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_hplip_client_packets'($*)) dnl - - gen_require(` - type hplip_client_packet_t; - ') - - allow $1 hplip_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_hplip_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send hplip_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_hplip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hplip_client_packets'($*)) dnl - - gen_require(` - type hplip_client_packet_t; - ') - - dontaudit $1 hplip_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hplip_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive hplip_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_hplip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_hplip_client_packets'($*)) dnl - - gen_require(` - type hplip_client_packet_t; - ') - - allow $1 hplip_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_hplip_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive hplip_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_hplip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hplip_client_packets'($*)) dnl - - gen_require(` - type hplip_client_packet_t; - ') - - dontaudit $1 hplip_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hplip_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive hplip_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_hplip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hplip_client_packets'($*)) dnl - - corenet_send_hplip_client_packets($1) - corenet_receive_hplip_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hplip_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive hplip_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_hplip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hplip_client_packets'($*)) dnl - - corenet_dontaudit_send_hplip_client_packets($1) - corenet_dontaudit_receive_hplip_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hplip_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to hplip_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_hplip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hplip_client_packets'($*)) dnl - - gen_require(` - type hplip_client_packet_t; - ') - - allow $1 hplip_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_hplip_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send hplip_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_hplip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_hplip_server_packets'($*)) dnl - - gen_require(` - type hplip_server_packet_t; - ') - - allow $1 hplip_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_hplip_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send hplip_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_hplip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hplip_server_packets'($*)) dnl - - gen_require(` - type hplip_server_packet_t; - ') - - dontaudit $1 hplip_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hplip_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive hplip_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_hplip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_hplip_server_packets'($*)) dnl - - gen_require(` - type hplip_server_packet_t; - ') - - allow $1 hplip_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_hplip_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive hplip_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_hplip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hplip_server_packets'($*)) dnl - - gen_require(` - type hplip_server_packet_t; - ') - - dontaudit $1 hplip_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hplip_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive hplip_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_hplip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hplip_server_packets'($*)) dnl - - corenet_send_hplip_server_packets($1) - corenet_receive_hplip_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hplip_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive hplip_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_hplip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hplip_server_packets'($*)) dnl - - corenet_dontaudit_send_hplip_server_packets($1) - corenet_dontaudit_receive_hplip_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hplip_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to hplip_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_hplip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hplip_server_packets'($*)) dnl - - gen_require(` - type hplip_server_packet_t; - ') - - allow $1 hplip_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_hplip_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_http_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_http_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the http port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_http_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_http_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the http port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_http_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_http_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the http port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_http_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_http_port'($*)) dnl - - gen_require(` - type http_port_t; - ') - - allow $1 http_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_http_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_http_port'($*)) dnl - - gen_require(` - type http_port_t; - ') - - allow $1 http_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_http_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the http port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_http_port'($*)) dnl - - gen_require(` - type http_port_t; - ') - - allow $1 http_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_http_port'($*)) dnl - ') - - - -######################################## -## -## Send http_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_http_client_packets'($*)) dnl - - gen_require(` - type http_client_packet_t; - ') - - allow $1 http_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send http_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_client_packets'($*)) dnl - - gen_require(` - type http_client_packet_t; - ') - - dontaudit $1 http_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive http_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_http_client_packets'($*)) dnl - - gen_require(` - type http_client_packet_t; - ') - - allow $1 http_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive http_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_client_packets'($*)) dnl - - gen_require(` - type http_client_packet_t; - ') - - dontaudit $1 http_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive http_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_client_packets'($*)) dnl - - corenet_send_http_client_packets($1) - corenet_receive_http_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive http_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_client_packets'($*)) dnl - - corenet_dontaudit_send_http_client_packets($1) - corenet_dontaudit_receive_http_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to http_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_client_packets'($*)) dnl - - gen_require(` - type http_client_packet_t; - ') - - allow $1 http_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send http_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_http_server_packets'($*)) dnl - - gen_require(` - type http_server_packet_t; - ') - - allow $1 http_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send http_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_server_packets'($*)) dnl - - gen_require(` - type http_server_packet_t; - ') - - dontaudit $1 http_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive http_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_http_server_packets'($*)) dnl - - gen_require(` - type http_server_packet_t; - ') - - allow $1 http_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive http_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_server_packets'($*)) dnl - - gen_require(` - type http_server_packet_t; - ') - - dontaudit $1 http_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive http_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_server_packets'($*)) dnl - - corenet_send_http_server_packets($1) - corenet_receive_http_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive http_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_server_packets'($*)) dnl - - corenet_dontaudit_send_http_server_packets($1) - corenet_dontaudit_receive_http_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to http_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_server_packets'($*)) dnl - - gen_require(` - type http_server_packet_t; - ') - - allow $1 http_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_server_packets'($*)) dnl - ') - - - #8443 is mod_nss default port - - -######################################## -## -## Send and receive TCP traffic on the http_cache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_http_cache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the http_cache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_http_cache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the http_cache port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_http_cache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the http_cache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_http_cache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the http_cache port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_http_cache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the http_cache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_http_cache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the http_cache port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_http_cache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the http_cache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_http_cache_port'($*)) dnl - - gen_require(` - type http_cache_port_t; - ') - - allow $1 http_cache_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the http_cache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_http_cache_port'($*)) dnl - - gen_require(` - type http_cache_port_t; - ') - - allow $1 http_cache_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_http_cache_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the http_cache port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_http_cache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_http_cache_port'($*)) dnl - - gen_require(` - type http_cache_port_t; - ') - - allow $1 http_cache_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_http_cache_port'($*)) dnl - ') - - - -######################################## -## -## Send http_cache_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_http_cache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_http_cache_client_packets'($*)) dnl - - gen_require(` - type http_cache_client_packet_t; - ') - - allow $1 http_cache_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_http_cache_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send http_cache_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_http_cache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_cache_client_packets'($*)) dnl - - gen_require(` - type http_cache_client_packet_t; - ') - - dontaudit $1 http_cache_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_cache_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive http_cache_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_http_cache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_http_cache_client_packets'($*)) dnl - - gen_require(` - type http_cache_client_packet_t; - ') - - allow $1 http_cache_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_http_cache_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive http_cache_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_http_cache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_cache_client_packets'($*)) dnl - - gen_require(` - type http_cache_client_packet_t; - ') - - dontaudit $1 http_cache_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_cache_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive http_cache_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_http_cache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_cache_client_packets'($*)) dnl - - corenet_send_http_cache_client_packets($1) - corenet_receive_http_cache_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_cache_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive http_cache_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_http_cache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_cache_client_packets'($*)) dnl - - corenet_dontaudit_send_http_cache_client_packets($1) - corenet_dontaudit_receive_http_cache_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_cache_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to http_cache_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_http_cache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_cache_client_packets'($*)) dnl - - gen_require(` - type http_cache_client_packet_t; - ') - - allow $1 http_cache_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_cache_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send http_cache_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_http_cache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_http_cache_server_packets'($*)) dnl - - gen_require(` - type http_cache_server_packet_t; - ') - - allow $1 http_cache_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_http_cache_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send http_cache_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_http_cache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_cache_server_packets'($*)) dnl - - gen_require(` - type http_cache_server_packet_t; - ') - - dontaudit $1 http_cache_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_cache_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive http_cache_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_http_cache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_http_cache_server_packets'($*)) dnl - - gen_require(` - type http_cache_server_packet_t; - ') - - allow $1 http_cache_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_http_cache_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive http_cache_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_http_cache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_cache_server_packets'($*)) dnl - - gen_require(` - type http_cache_server_packet_t; - ') - - dontaudit $1 http_cache_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_cache_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive http_cache_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_http_cache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_cache_server_packets'($*)) dnl - - corenet_send_http_cache_server_packets($1) - corenet_receive_http_cache_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_cache_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive http_cache_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_http_cache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_cache_server_packets'($*)) dnl - - corenet_dontaudit_send_http_cache_server_packets($1) - corenet_dontaudit_receive_http_cache_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_cache_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to http_cache_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_http_cache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_cache_server_packets'($*)) dnl - - gen_require(` - type http_cache_server_packet_t; - ') - - allow $1 http_cache_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_cache_server_packets'($*)) dnl - ') - - - # 8118 is for privoxy - - -######################################## -## -## Send and receive TCP traffic on the i18n_input port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_i18n_input_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the i18n_input port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_i18n_input_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the i18n_input port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_i18n_input_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the i18n_input port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_i18n_input_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the i18n_input port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_i18n_input_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the i18n_input port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_i18n_input_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the i18n_input port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_i18n_input_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the i18n_input port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_i18n_input_port'($*)) dnl - - gen_require(` - type i18n_input_port_t; - ') - - allow $1 i18n_input_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the i18n_input port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_i18n_input_port'($*)) dnl - - gen_require(` - type i18n_input_port_t; - ') - - allow $1 i18n_input_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_i18n_input_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the i18n_input port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_i18n_input_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_i18n_input_port'($*)) dnl - - gen_require(` - type i18n_input_port_t; - ') - - allow $1 i18n_input_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_i18n_input_port'($*)) dnl - ') - - - -######################################## -## -## Send i18n_input_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_i18n_input_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_i18n_input_client_packets'($*)) dnl - - gen_require(` - type i18n_input_client_packet_t; - ') - - allow $1 i18n_input_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_i18n_input_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send i18n_input_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_i18n_input_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_i18n_input_client_packets'($*)) dnl - - gen_require(` - type i18n_input_client_packet_t; - ') - - dontaudit $1 i18n_input_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_i18n_input_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive i18n_input_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_i18n_input_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_i18n_input_client_packets'($*)) dnl - - gen_require(` - type i18n_input_client_packet_t; - ') - - allow $1 i18n_input_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_i18n_input_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive i18n_input_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_i18n_input_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_i18n_input_client_packets'($*)) dnl - - gen_require(` - type i18n_input_client_packet_t; - ') - - dontaudit $1 i18n_input_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_i18n_input_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive i18n_input_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_i18n_input_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_i18n_input_client_packets'($*)) dnl - - corenet_send_i18n_input_client_packets($1) - corenet_receive_i18n_input_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_i18n_input_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive i18n_input_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_i18n_input_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_i18n_input_client_packets'($*)) dnl - - corenet_dontaudit_send_i18n_input_client_packets($1) - corenet_dontaudit_receive_i18n_input_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_i18n_input_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to i18n_input_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_i18n_input_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_i18n_input_client_packets'($*)) dnl - - gen_require(` - type i18n_input_client_packet_t; - ') - - allow $1 i18n_input_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_i18n_input_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send i18n_input_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_i18n_input_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_i18n_input_server_packets'($*)) dnl - - gen_require(` - type i18n_input_server_packet_t; - ') - - allow $1 i18n_input_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_i18n_input_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send i18n_input_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_i18n_input_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_i18n_input_server_packets'($*)) dnl - - gen_require(` - type i18n_input_server_packet_t; - ') - - dontaudit $1 i18n_input_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_i18n_input_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive i18n_input_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_i18n_input_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_i18n_input_server_packets'($*)) dnl - - gen_require(` - type i18n_input_server_packet_t; - ') - - allow $1 i18n_input_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_i18n_input_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive i18n_input_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_i18n_input_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_i18n_input_server_packets'($*)) dnl - - gen_require(` - type i18n_input_server_packet_t; - ') - - dontaudit $1 i18n_input_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_i18n_input_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive i18n_input_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_i18n_input_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_i18n_input_server_packets'($*)) dnl - - corenet_send_i18n_input_server_packets($1) - corenet_receive_i18n_input_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_i18n_input_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive i18n_input_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_i18n_input_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_i18n_input_server_packets'($*)) dnl - - corenet_dontaudit_send_i18n_input_server_packets($1) - corenet_dontaudit_receive_i18n_input_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_i18n_input_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to i18n_input_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_i18n_input_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_i18n_input_server_packets'($*)) dnl - - gen_require(` - type i18n_input_server_packet_t; - ') - - allow $1 i18n_input_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_i18n_input_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the imaze port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_imaze_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_imaze_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the imaze port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_imaze_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_imaze_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the imaze port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_imaze_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_imaze_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the imaze port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_imaze_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_imaze_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the imaze port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_imaze_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_imaze_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the imaze port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_imaze_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_imaze_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the imaze port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_imaze_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_imaze_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the imaze port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_imaze_port'($*)) dnl - - gen_require(` - type imaze_port_t; - ') - - allow $1 imaze_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_imaze_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the imaze port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_imaze_port'($*)) dnl - - gen_require(` - type imaze_port_t; - ') - - allow $1 imaze_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_imaze_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the imaze port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_imaze_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_imaze_port'($*)) dnl - - gen_require(` - type imaze_port_t; - ') - - allow $1 imaze_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_imaze_port'($*)) dnl - ') - - - -######################################## -## -## Send imaze_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_imaze_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_imaze_client_packets'($*)) dnl - - gen_require(` - type imaze_client_packet_t; - ') - - allow $1 imaze_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_imaze_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send imaze_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_imaze_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_imaze_client_packets'($*)) dnl - - gen_require(` - type imaze_client_packet_t; - ') - - dontaudit $1 imaze_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_imaze_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive imaze_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_imaze_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_imaze_client_packets'($*)) dnl - - gen_require(` - type imaze_client_packet_t; - ') - - allow $1 imaze_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_imaze_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive imaze_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_imaze_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_imaze_client_packets'($*)) dnl - - gen_require(` - type imaze_client_packet_t; - ') - - dontaudit $1 imaze_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_imaze_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive imaze_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_imaze_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_imaze_client_packets'($*)) dnl - - corenet_send_imaze_client_packets($1) - corenet_receive_imaze_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_imaze_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive imaze_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_imaze_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_imaze_client_packets'($*)) dnl - - corenet_dontaudit_send_imaze_client_packets($1) - corenet_dontaudit_receive_imaze_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_imaze_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to imaze_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_imaze_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_imaze_client_packets'($*)) dnl - - gen_require(` - type imaze_client_packet_t; - ') - - allow $1 imaze_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_imaze_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send imaze_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_imaze_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_imaze_server_packets'($*)) dnl - - gen_require(` - type imaze_server_packet_t; - ') - - allow $1 imaze_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_imaze_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send imaze_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_imaze_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_imaze_server_packets'($*)) dnl - - gen_require(` - type imaze_server_packet_t; - ') - - dontaudit $1 imaze_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_imaze_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive imaze_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_imaze_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_imaze_server_packets'($*)) dnl - - gen_require(` - type imaze_server_packet_t; - ') - - allow $1 imaze_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_imaze_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive imaze_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_imaze_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_imaze_server_packets'($*)) dnl - - gen_require(` - type imaze_server_packet_t; - ') - - dontaudit $1 imaze_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_imaze_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive imaze_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_imaze_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_imaze_server_packets'($*)) dnl - - corenet_send_imaze_server_packets($1) - corenet_receive_imaze_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_imaze_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive imaze_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_imaze_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_imaze_server_packets'($*)) dnl - - corenet_dontaudit_send_imaze_server_packets($1) - corenet_dontaudit_receive_imaze_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_imaze_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to imaze_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_imaze_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_imaze_server_packets'($*)) dnl - - gen_require(` - type imaze_server_packet_t; - ') - - allow $1 imaze_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_imaze_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the inetd_child port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_inetd_child_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the inetd_child port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_inetd_child_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the inetd_child port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_inetd_child_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the inetd_child port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_inetd_child_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the inetd_child port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_inetd_child_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the inetd_child port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_inetd_child_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the inetd_child port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_inetd_child_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the inetd_child port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_inetd_child_port'($*)) dnl - - gen_require(` - type inetd_child_port_t; - ') - - allow $1 inetd_child_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the inetd_child port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_inetd_child_port'($*)) dnl - - gen_require(` - type inetd_child_port_t; - ') - - allow $1 inetd_child_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_inetd_child_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the inetd_child port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_inetd_child_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_inetd_child_port'($*)) dnl - - gen_require(` - type inetd_child_port_t; - ') - - allow $1 inetd_child_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_inetd_child_port'($*)) dnl - ') - - - -######################################## -## -## Send inetd_child_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_inetd_child_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_inetd_child_client_packets'($*)) dnl - - gen_require(` - type inetd_child_client_packet_t; - ') - - allow $1 inetd_child_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_inetd_child_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send inetd_child_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_inetd_child_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_inetd_child_client_packets'($*)) dnl - - gen_require(` - type inetd_child_client_packet_t; - ') - - dontaudit $1 inetd_child_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_inetd_child_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive inetd_child_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_inetd_child_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_inetd_child_client_packets'($*)) dnl - - gen_require(` - type inetd_child_client_packet_t; - ') - - allow $1 inetd_child_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_inetd_child_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive inetd_child_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_inetd_child_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_inetd_child_client_packets'($*)) dnl - - gen_require(` - type inetd_child_client_packet_t; - ') - - dontaudit $1 inetd_child_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_inetd_child_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive inetd_child_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_inetd_child_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_inetd_child_client_packets'($*)) dnl - - corenet_send_inetd_child_client_packets($1) - corenet_receive_inetd_child_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_inetd_child_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive inetd_child_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_inetd_child_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_inetd_child_client_packets'($*)) dnl - - corenet_dontaudit_send_inetd_child_client_packets($1) - corenet_dontaudit_receive_inetd_child_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_inetd_child_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to inetd_child_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_inetd_child_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_inetd_child_client_packets'($*)) dnl - - gen_require(` - type inetd_child_client_packet_t; - ') - - allow $1 inetd_child_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_inetd_child_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send inetd_child_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_inetd_child_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_inetd_child_server_packets'($*)) dnl - - gen_require(` - type inetd_child_server_packet_t; - ') - - allow $1 inetd_child_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_inetd_child_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send inetd_child_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_inetd_child_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_inetd_child_server_packets'($*)) dnl - - gen_require(` - type inetd_child_server_packet_t; - ') - - dontaudit $1 inetd_child_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_inetd_child_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive inetd_child_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_inetd_child_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_inetd_child_server_packets'($*)) dnl - - gen_require(` - type inetd_child_server_packet_t; - ') - - allow $1 inetd_child_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_inetd_child_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive inetd_child_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_inetd_child_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_inetd_child_server_packets'($*)) dnl - - gen_require(` - type inetd_child_server_packet_t; - ') - - dontaudit $1 inetd_child_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_inetd_child_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive inetd_child_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_inetd_child_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_inetd_child_server_packets'($*)) dnl - - corenet_send_inetd_child_server_packets($1) - corenet_receive_inetd_child_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_inetd_child_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive inetd_child_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_inetd_child_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_inetd_child_server_packets'($*)) dnl - - corenet_dontaudit_send_inetd_child_server_packets($1) - corenet_dontaudit_receive_inetd_child_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_inetd_child_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to inetd_child_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_inetd_child_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_inetd_child_server_packets'($*)) dnl - - gen_require(` - type inetd_child_server_packet_t; - ') - - allow $1 inetd_child_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_inetd_child_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the innd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_innd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_innd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the innd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_innd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_innd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the innd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_innd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_innd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the innd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_innd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_innd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the innd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_innd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_innd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the innd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_innd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_innd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the innd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_innd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_innd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the innd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_innd_port'($*)) dnl - - gen_require(` - type innd_port_t; - ') - - allow $1 innd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_innd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the innd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_innd_port'($*)) dnl - - gen_require(` - type innd_port_t; - ') - - allow $1 innd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_innd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the innd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_innd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_innd_port'($*)) dnl - - gen_require(` - type innd_port_t; - ') - - allow $1 innd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_innd_port'($*)) dnl - ') - - - -######################################## -## -## Send innd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_innd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_innd_client_packets'($*)) dnl - - gen_require(` - type innd_client_packet_t; - ') - - allow $1 innd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_innd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send innd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_innd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_innd_client_packets'($*)) dnl - - gen_require(` - type innd_client_packet_t; - ') - - dontaudit $1 innd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_innd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive innd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_innd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_innd_client_packets'($*)) dnl - - gen_require(` - type innd_client_packet_t; - ') - - allow $1 innd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_innd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive innd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_innd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_innd_client_packets'($*)) dnl - - gen_require(` - type innd_client_packet_t; - ') - - dontaudit $1 innd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_innd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive innd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_innd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_innd_client_packets'($*)) dnl - - corenet_send_innd_client_packets($1) - corenet_receive_innd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_innd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive innd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_innd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_innd_client_packets'($*)) dnl - - corenet_dontaudit_send_innd_client_packets($1) - corenet_dontaudit_receive_innd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_innd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to innd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_innd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_innd_client_packets'($*)) dnl - - gen_require(` - type innd_client_packet_t; - ') - - allow $1 innd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_innd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send innd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_innd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_innd_server_packets'($*)) dnl - - gen_require(` - type innd_server_packet_t; - ') - - allow $1 innd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_innd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send innd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_innd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_innd_server_packets'($*)) dnl - - gen_require(` - type innd_server_packet_t; - ') - - dontaudit $1 innd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_innd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive innd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_innd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_innd_server_packets'($*)) dnl - - gen_require(` - type innd_server_packet_t; - ') - - allow $1 innd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_innd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive innd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_innd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_innd_server_packets'($*)) dnl - - gen_require(` - type innd_server_packet_t; - ') - - dontaudit $1 innd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_innd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive innd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_innd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_innd_server_packets'($*)) dnl - - corenet_send_innd_server_packets($1) - corenet_receive_innd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_innd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive innd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_innd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_innd_server_packets'($*)) dnl - - corenet_dontaudit_send_innd_server_packets($1) - corenet_dontaudit_receive_innd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_innd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to innd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_innd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_innd_server_packets'($*)) dnl - - gen_require(` - type innd_server_packet_t; - ') - - allow $1 innd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_innd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the interwise port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_interwise_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_interwise_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the interwise port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_interwise_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_interwise_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the interwise port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_interwise_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_interwise_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the interwise port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_interwise_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_interwise_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the interwise port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_interwise_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_interwise_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the interwise port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_interwise_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_interwise_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the interwise port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_interwise_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_interwise_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the interwise port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_interwise_port'($*)) dnl - - gen_require(` - type interwise_port_t; - ') - - allow $1 interwise_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_interwise_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the interwise port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_interwise_port'($*)) dnl - - gen_require(` - type interwise_port_t; - ') - - allow $1 interwise_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_interwise_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the interwise port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_interwise_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_interwise_port'($*)) dnl - - gen_require(` - type interwise_port_t; - ') - - allow $1 interwise_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_interwise_port'($*)) dnl - ') - - - -######################################## -## -## Send interwise_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_interwise_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_interwise_client_packets'($*)) dnl - - gen_require(` - type interwise_client_packet_t; - ') - - allow $1 interwise_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_interwise_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send interwise_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_interwise_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_interwise_client_packets'($*)) dnl - - gen_require(` - type interwise_client_packet_t; - ') - - dontaudit $1 interwise_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_interwise_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive interwise_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_interwise_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_interwise_client_packets'($*)) dnl - - gen_require(` - type interwise_client_packet_t; - ') - - allow $1 interwise_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_interwise_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive interwise_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_interwise_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_interwise_client_packets'($*)) dnl - - gen_require(` - type interwise_client_packet_t; - ') - - dontaudit $1 interwise_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_interwise_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive interwise_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_interwise_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_interwise_client_packets'($*)) dnl - - corenet_send_interwise_client_packets($1) - corenet_receive_interwise_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_interwise_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive interwise_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_interwise_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_interwise_client_packets'($*)) dnl - - corenet_dontaudit_send_interwise_client_packets($1) - corenet_dontaudit_receive_interwise_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_interwise_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to interwise_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_interwise_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_interwise_client_packets'($*)) dnl - - gen_require(` - type interwise_client_packet_t; - ') - - allow $1 interwise_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_interwise_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send interwise_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_interwise_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_interwise_server_packets'($*)) dnl - - gen_require(` - type interwise_server_packet_t; - ') - - allow $1 interwise_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_interwise_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send interwise_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_interwise_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_interwise_server_packets'($*)) dnl - - gen_require(` - type interwise_server_packet_t; - ') - - dontaudit $1 interwise_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_interwise_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive interwise_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_interwise_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_interwise_server_packets'($*)) dnl - - gen_require(` - type interwise_server_packet_t; - ') - - allow $1 interwise_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_interwise_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive interwise_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_interwise_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_interwise_server_packets'($*)) dnl - - gen_require(` - type interwise_server_packet_t; - ') - - dontaudit $1 interwise_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_interwise_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive interwise_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_interwise_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_interwise_server_packets'($*)) dnl - - corenet_send_interwise_server_packets($1) - corenet_receive_interwise_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_interwise_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive interwise_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_interwise_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_interwise_server_packets'($*)) dnl - - corenet_dontaudit_send_interwise_server_packets($1) - corenet_dontaudit_receive_interwise_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_interwise_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to interwise_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_interwise_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_interwise_server_packets'($*)) dnl - - gen_require(` - type interwise_server_packet_t; - ') - - allow $1 interwise_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_interwise_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ionixnetmon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ionixnetmon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ionixnetmon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ionixnetmon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ionixnetmon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ionixnetmon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ionixnetmon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ionixnetmon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ionixnetmon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ionixnetmon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ionixnetmon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ionixnetmon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ionixnetmon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ionixnetmon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ionixnetmon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ionixnetmon_port'($*)) dnl - - gen_require(` - type ionixnetmon_port_t; - ') - - allow $1 ionixnetmon_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ionixnetmon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ionixnetmon_port'($*)) dnl - - gen_require(` - type ionixnetmon_port_t; - ') - - allow $1 ionixnetmon_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ionixnetmon_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ionixnetmon port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ionixnetmon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ionixnetmon_port'($*)) dnl - - gen_require(` - type ionixnetmon_port_t; - ') - - allow $1 ionixnetmon_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ionixnetmon_port'($*)) dnl - ') - - - -######################################## -## -## Send ionixnetmon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ionixnetmon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ionixnetmon_client_packets'($*)) dnl - - gen_require(` - type ionixnetmon_client_packet_t; - ') - - allow $1 ionixnetmon_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ionixnetmon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ionixnetmon_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ionixnetmon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ionixnetmon_client_packets'($*)) dnl - - gen_require(` - type ionixnetmon_client_packet_t; - ') - - dontaudit $1 ionixnetmon_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ionixnetmon_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ionixnetmon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ionixnetmon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ionixnetmon_client_packets'($*)) dnl - - gen_require(` - type ionixnetmon_client_packet_t; - ') - - allow $1 ionixnetmon_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ionixnetmon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ionixnetmon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ionixnetmon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ionixnetmon_client_packets'($*)) dnl - - gen_require(` - type ionixnetmon_client_packet_t; - ') - - dontaudit $1 ionixnetmon_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ionixnetmon_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ionixnetmon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ionixnetmon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ionixnetmon_client_packets'($*)) dnl - - corenet_send_ionixnetmon_client_packets($1) - corenet_receive_ionixnetmon_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ionixnetmon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ionixnetmon_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ionixnetmon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ionixnetmon_client_packets'($*)) dnl - - corenet_dontaudit_send_ionixnetmon_client_packets($1) - corenet_dontaudit_receive_ionixnetmon_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ionixnetmon_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ionixnetmon_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ionixnetmon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ionixnetmon_client_packets'($*)) dnl - - gen_require(` - type ionixnetmon_client_packet_t; - ') - - allow $1 ionixnetmon_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ionixnetmon_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ionixnetmon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ionixnetmon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ionixnetmon_server_packets'($*)) dnl - - gen_require(` - type ionixnetmon_server_packet_t; - ') - - allow $1 ionixnetmon_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ionixnetmon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ionixnetmon_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ionixnetmon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ionixnetmon_server_packets'($*)) dnl - - gen_require(` - type ionixnetmon_server_packet_t; - ') - - dontaudit $1 ionixnetmon_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ionixnetmon_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ionixnetmon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ionixnetmon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ionixnetmon_server_packets'($*)) dnl - - gen_require(` - type ionixnetmon_server_packet_t; - ') - - allow $1 ionixnetmon_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ionixnetmon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ionixnetmon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ionixnetmon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ionixnetmon_server_packets'($*)) dnl - - gen_require(` - type ionixnetmon_server_packet_t; - ') - - dontaudit $1 ionixnetmon_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ionixnetmon_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ionixnetmon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ionixnetmon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ionixnetmon_server_packets'($*)) dnl - - corenet_send_ionixnetmon_server_packets($1) - corenet_receive_ionixnetmon_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ionixnetmon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ionixnetmon_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ionixnetmon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ionixnetmon_server_packets'($*)) dnl - - corenet_dontaudit_send_ionixnetmon_server_packets($1) - corenet_dontaudit_receive_ionixnetmon_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ionixnetmon_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ionixnetmon_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ionixnetmon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ionixnetmon_server_packets'($*)) dnl - - gen_require(` - type ionixnetmon_server_packet_t; - ') - - allow $1 ionixnetmon_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ionixnetmon_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ipmi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipmi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ipmi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipmi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ipmi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipmi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ipmi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipmi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ipmi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipmi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ipmi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipmi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ipmi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipmi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ipmi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipmi_port'($*)) dnl - - gen_require(` - type ipmi_port_t; - ') - - allow $1 ipmi_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ipmi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipmi_port'($*)) dnl - - gen_require(` - type ipmi_port_t; - ') - - allow $1 ipmi_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipmi_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ipmi port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ipmi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipmi_port'($*)) dnl - - gen_require(` - type ipmi_port_t; - ') - - allow $1 ipmi_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipmi_port'($*)) dnl - ') - - - -######################################## -## -## Send ipmi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ipmi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ipmi_client_packets'($*)) dnl - - gen_require(` - type ipmi_client_packet_t; - ') - - allow $1 ipmi_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ipmi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ipmi_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ipmi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipmi_client_packets'($*)) dnl - - gen_require(` - type ipmi_client_packet_t; - ') - - dontaudit $1 ipmi_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipmi_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ipmi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ipmi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ipmi_client_packets'($*)) dnl - - gen_require(` - type ipmi_client_packet_t; - ') - - allow $1 ipmi_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ipmi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ipmi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ipmi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipmi_client_packets'($*)) dnl - - gen_require(` - type ipmi_client_packet_t; - ') - - dontaudit $1 ipmi_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipmi_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ipmi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ipmi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipmi_client_packets'($*)) dnl - - corenet_send_ipmi_client_packets($1) - corenet_receive_ipmi_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipmi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ipmi_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ipmi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipmi_client_packets'($*)) dnl - - corenet_dontaudit_send_ipmi_client_packets($1) - corenet_dontaudit_receive_ipmi_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipmi_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ipmi_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ipmi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipmi_client_packets'($*)) dnl - - gen_require(` - type ipmi_client_packet_t; - ') - - allow $1 ipmi_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipmi_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ipmi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ipmi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ipmi_server_packets'($*)) dnl - - gen_require(` - type ipmi_server_packet_t; - ') - - allow $1 ipmi_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ipmi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ipmi_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ipmi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipmi_server_packets'($*)) dnl - - gen_require(` - type ipmi_server_packet_t; - ') - - dontaudit $1 ipmi_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipmi_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ipmi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ipmi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ipmi_server_packets'($*)) dnl - - gen_require(` - type ipmi_server_packet_t; - ') - - allow $1 ipmi_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ipmi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ipmi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ipmi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipmi_server_packets'($*)) dnl - - gen_require(` - type ipmi_server_packet_t; - ') - - dontaudit $1 ipmi_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipmi_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ipmi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ipmi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipmi_server_packets'($*)) dnl - - corenet_send_ipmi_server_packets($1) - corenet_receive_ipmi_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipmi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ipmi_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ipmi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipmi_server_packets'($*)) dnl - - corenet_dontaudit_send_ipmi_server_packets($1) - corenet_dontaudit_receive_ipmi_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipmi_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ipmi_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ipmi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipmi_server_packets'($*)) dnl - - gen_require(` - type ipmi_server_packet_t; - ') - - allow $1 ipmi_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipmi_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ipp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ipp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ipp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ipp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ipp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ipp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ipp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ipp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipp_port'($*)) dnl - - gen_require(` - type ipp_port_t; - ') - - allow $1 ipp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ipp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipp_port'($*)) dnl - - gen_require(` - type ipp_port_t; - ') - - allow $1 ipp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ipp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ipp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipp_port'($*)) dnl - - gen_require(` - type ipp_port_t; - ') - - allow $1 ipp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipp_port'($*)) dnl - ') - - - -######################################## -## -## Send ipp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ipp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ipp_client_packets'($*)) dnl - - gen_require(` - type ipp_client_packet_t; - ') - - allow $1 ipp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ipp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ipp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ipp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipp_client_packets'($*)) dnl - - gen_require(` - type ipp_client_packet_t; - ') - - dontaudit $1 ipp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ipp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ipp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ipp_client_packets'($*)) dnl - - gen_require(` - type ipp_client_packet_t; - ') - - allow $1 ipp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ipp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ipp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ipp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipp_client_packets'($*)) dnl - - gen_require(` - type ipp_client_packet_t; - ') - - dontaudit $1 ipp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ipp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ipp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipp_client_packets'($*)) dnl - - corenet_send_ipp_client_packets($1) - corenet_receive_ipp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ipp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ipp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipp_client_packets'($*)) dnl - - corenet_dontaudit_send_ipp_client_packets($1) - corenet_dontaudit_receive_ipp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ipp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ipp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipp_client_packets'($*)) dnl - - gen_require(` - type ipp_client_packet_t; - ') - - allow $1 ipp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ipp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ipp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ipp_server_packets'($*)) dnl - - gen_require(` - type ipp_server_packet_t; - ') - - allow $1 ipp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ipp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ipp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ipp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipp_server_packets'($*)) dnl - - gen_require(` - type ipp_server_packet_t; - ') - - dontaudit $1 ipp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ipp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ipp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ipp_server_packets'($*)) dnl - - gen_require(` - type ipp_server_packet_t; - ') - - allow $1 ipp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ipp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ipp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ipp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipp_server_packets'($*)) dnl - - gen_require(` - type ipp_server_packet_t; - ') - - dontaudit $1 ipp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ipp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ipp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipp_server_packets'($*)) dnl - - corenet_send_ipp_server_packets($1) - corenet_receive_ipp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ipp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ipp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipp_server_packets'($*)) dnl - - corenet_dontaudit_send_ipp_server_packets($1) - corenet_dontaudit_receive_ipp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ipp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ipp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipp_server_packets'($*)) dnl - - gen_require(` - type ipp_server_packet_t; - ') - - allow $1 ipp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ipsecnat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipsecnat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ipsecnat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipsecnat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ipsecnat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipsecnat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ipsecnat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipsecnat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ipsecnat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipsecnat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ipsecnat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipsecnat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ipsecnat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipsecnat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ipsecnat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipsecnat_port'($*)) dnl - - gen_require(` - type ipsecnat_port_t; - ') - - allow $1 ipsecnat_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ipsecnat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipsecnat_port'($*)) dnl - - gen_require(` - type ipsecnat_port_t; - ') - - allow $1 ipsecnat_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipsecnat_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ipsecnat port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ipsecnat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipsecnat_port'($*)) dnl - - gen_require(` - type ipsecnat_port_t; - ') - - allow $1 ipsecnat_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipsecnat_port'($*)) dnl - ') - - - -######################################## -## -## Send ipsecnat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ipsecnat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ipsecnat_client_packets'($*)) dnl - - gen_require(` - type ipsecnat_client_packet_t; - ') - - allow $1 ipsecnat_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ipsecnat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ipsecnat_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ipsecnat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipsecnat_client_packets'($*)) dnl - - gen_require(` - type ipsecnat_client_packet_t; - ') - - dontaudit $1 ipsecnat_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipsecnat_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ipsecnat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ipsecnat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ipsecnat_client_packets'($*)) dnl - - gen_require(` - type ipsecnat_client_packet_t; - ') - - allow $1 ipsecnat_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ipsecnat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ipsecnat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ipsecnat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipsecnat_client_packets'($*)) dnl - - gen_require(` - type ipsecnat_client_packet_t; - ') - - dontaudit $1 ipsecnat_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipsecnat_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ipsecnat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ipsecnat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipsecnat_client_packets'($*)) dnl - - corenet_send_ipsecnat_client_packets($1) - corenet_receive_ipsecnat_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipsecnat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ipsecnat_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ipsecnat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipsecnat_client_packets'($*)) dnl - - corenet_dontaudit_send_ipsecnat_client_packets($1) - corenet_dontaudit_receive_ipsecnat_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipsecnat_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ipsecnat_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ipsecnat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipsecnat_client_packets'($*)) dnl - - gen_require(` - type ipsecnat_client_packet_t; - ') - - allow $1 ipsecnat_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipsecnat_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ipsecnat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ipsecnat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ipsecnat_server_packets'($*)) dnl - - gen_require(` - type ipsecnat_server_packet_t; - ') - - allow $1 ipsecnat_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ipsecnat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ipsecnat_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ipsecnat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipsecnat_server_packets'($*)) dnl - - gen_require(` - type ipsecnat_server_packet_t; - ') - - dontaudit $1 ipsecnat_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipsecnat_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ipsecnat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ipsecnat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ipsecnat_server_packets'($*)) dnl - - gen_require(` - type ipsecnat_server_packet_t; - ') - - allow $1 ipsecnat_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ipsecnat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ipsecnat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ipsecnat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipsecnat_server_packets'($*)) dnl - - gen_require(` - type ipsecnat_server_packet_t; - ') - - dontaudit $1 ipsecnat_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipsecnat_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ipsecnat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ipsecnat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipsecnat_server_packets'($*)) dnl - - corenet_send_ipsecnat_server_packets($1) - corenet_receive_ipsecnat_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipsecnat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ipsecnat_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ipsecnat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipsecnat_server_packets'($*)) dnl - - corenet_dontaudit_send_ipsecnat_server_packets($1) - corenet_dontaudit_receive_ipsecnat_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipsecnat_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ipsecnat_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ipsecnat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipsecnat_server_packets'($*)) dnl - - gen_require(` - type ipsecnat_server_packet_t; - ') - - allow $1 ipsecnat_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipsecnat_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ircd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ircd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ircd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ircd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ircd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ircd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ircd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ircd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ircd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ircd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ircd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ircd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ircd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ircd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ircd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ircd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ircd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ircd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ircd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ircd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ircd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ircd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ircd_port'($*)) dnl - - gen_require(` - type ircd_port_t; - ') - - allow $1 ircd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ircd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ircd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ircd_port'($*)) dnl - - gen_require(` - type ircd_port_t; - ') - - allow $1 ircd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ircd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ircd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ircd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ircd_port'($*)) dnl - - gen_require(` - type ircd_port_t; - ') - - allow $1 ircd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ircd_port'($*)) dnl - ') - - - -######################################## -## -## Send ircd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ircd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ircd_client_packets'($*)) dnl - - gen_require(` - type ircd_client_packet_t; - ') - - allow $1 ircd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ircd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ircd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ircd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ircd_client_packets'($*)) dnl - - gen_require(` - type ircd_client_packet_t; - ') - - dontaudit $1 ircd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ircd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ircd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ircd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ircd_client_packets'($*)) dnl - - gen_require(` - type ircd_client_packet_t; - ') - - allow $1 ircd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ircd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ircd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ircd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ircd_client_packets'($*)) dnl - - gen_require(` - type ircd_client_packet_t; - ') - - dontaudit $1 ircd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ircd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ircd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ircd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ircd_client_packets'($*)) dnl - - corenet_send_ircd_client_packets($1) - corenet_receive_ircd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ircd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ircd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ircd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ircd_client_packets'($*)) dnl - - corenet_dontaudit_send_ircd_client_packets($1) - corenet_dontaudit_receive_ircd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ircd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ircd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ircd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ircd_client_packets'($*)) dnl - - gen_require(` - type ircd_client_packet_t; - ') - - allow $1 ircd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ircd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ircd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ircd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ircd_server_packets'($*)) dnl - - gen_require(` - type ircd_server_packet_t; - ') - - allow $1 ircd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ircd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ircd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ircd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ircd_server_packets'($*)) dnl - - gen_require(` - type ircd_server_packet_t; - ') - - dontaudit $1 ircd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ircd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ircd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ircd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ircd_server_packets'($*)) dnl - - gen_require(` - type ircd_server_packet_t; - ') - - allow $1 ircd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ircd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ircd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ircd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ircd_server_packets'($*)) dnl - - gen_require(` - type ircd_server_packet_t; - ') - - dontaudit $1 ircd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ircd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ircd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ircd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ircd_server_packets'($*)) dnl - - corenet_send_ircd_server_packets($1) - corenet_receive_ircd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ircd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ircd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ircd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ircd_server_packets'($*)) dnl - - corenet_dontaudit_send_ircd_server_packets($1) - corenet_dontaudit_receive_ircd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ircd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ircd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ircd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ircd_server_packets'($*)) dnl - - gen_require(` - type ircd_server_packet_t; - ') - - allow $1 ircd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ircd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the isakmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_isakmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the isakmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_isakmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the isakmp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_isakmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the isakmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_isakmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the isakmp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_isakmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the isakmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_isakmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the isakmp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_isakmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the isakmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_isakmp_port'($*)) dnl - - gen_require(` - type isakmp_port_t; - ') - - allow $1 isakmp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the isakmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_isakmp_port'($*)) dnl - - gen_require(` - type isakmp_port_t; - ') - - allow $1 isakmp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_isakmp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the isakmp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_isakmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_isakmp_port'($*)) dnl - - gen_require(` - type isakmp_port_t; - ') - - allow $1 isakmp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_isakmp_port'($*)) dnl - ') - - - -######################################## -## -## Send isakmp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_isakmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_isakmp_client_packets'($*)) dnl - - gen_require(` - type isakmp_client_packet_t; - ') - - allow $1 isakmp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_isakmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send isakmp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_isakmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isakmp_client_packets'($*)) dnl - - gen_require(` - type isakmp_client_packet_t; - ') - - dontaudit $1 isakmp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isakmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive isakmp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_isakmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_isakmp_client_packets'($*)) dnl - - gen_require(` - type isakmp_client_packet_t; - ') - - allow $1 isakmp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_isakmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive isakmp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_isakmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isakmp_client_packets'($*)) dnl - - gen_require(` - type isakmp_client_packet_t; - ') - - dontaudit $1 isakmp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isakmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive isakmp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_isakmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isakmp_client_packets'($*)) dnl - - corenet_send_isakmp_client_packets($1) - corenet_receive_isakmp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isakmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive isakmp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_isakmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isakmp_client_packets'($*)) dnl - - corenet_dontaudit_send_isakmp_client_packets($1) - corenet_dontaudit_receive_isakmp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isakmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to isakmp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_isakmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isakmp_client_packets'($*)) dnl - - gen_require(` - type isakmp_client_packet_t; - ') - - allow $1 isakmp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_isakmp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send isakmp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_isakmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_isakmp_server_packets'($*)) dnl - - gen_require(` - type isakmp_server_packet_t; - ') - - allow $1 isakmp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_isakmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send isakmp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_isakmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isakmp_server_packets'($*)) dnl - - gen_require(` - type isakmp_server_packet_t; - ') - - dontaudit $1 isakmp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isakmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive isakmp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_isakmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_isakmp_server_packets'($*)) dnl - - gen_require(` - type isakmp_server_packet_t; - ') - - allow $1 isakmp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_isakmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive isakmp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_isakmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isakmp_server_packets'($*)) dnl - - gen_require(` - type isakmp_server_packet_t; - ') - - dontaudit $1 isakmp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isakmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive isakmp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_isakmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isakmp_server_packets'($*)) dnl - - corenet_send_isakmp_server_packets($1) - corenet_receive_isakmp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isakmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive isakmp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_isakmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isakmp_server_packets'($*)) dnl - - corenet_dontaudit_send_isakmp_server_packets($1) - corenet_dontaudit_receive_isakmp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isakmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to isakmp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_isakmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isakmp_server_packets'($*)) dnl - - gen_require(` - type isakmp_server_packet_t; - ') - - allow $1 isakmp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_isakmp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the iscsi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_iscsi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the iscsi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_iscsi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the iscsi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_iscsi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the iscsi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_iscsi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the iscsi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_iscsi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the iscsi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_iscsi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the iscsi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_iscsi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the iscsi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_iscsi_port'($*)) dnl - - gen_require(` - type iscsi_port_t; - ') - - allow $1 iscsi_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the iscsi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_iscsi_port'($*)) dnl - - gen_require(` - type iscsi_port_t; - ') - - allow $1 iscsi_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_iscsi_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the iscsi port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_iscsi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_iscsi_port'($*)) dnl - - gen_require(` - type iscsi_port_t; - ') - - allow $1 iscsi_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_iscsi_port'($*)) dnl - ') - - - -######################################## -## -## Send iscsi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_iscsi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_iscsi_client_packets'($*)) dnl - - gen_require(` - type iscsi_client_packet_t; - ') - - allow $1 iscsi_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_iscsi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send iscsi_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_iscsi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_iscsi_client_packets'($*)) dnl - - gen_require(` - type iscsi_client_packet_t; - ') - - dontaudit $1 iscsi_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_iscsi_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive iscsi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_iscsi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_iscsi_client_packets'($*)) dnl - - gen_require(` - type iscsi_client_packet_t; - ') - - allow $1 iscsi_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_iscsi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive iscsi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_iscsi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_iscsi_client_packets'($*)) dnl - - gen_require(` - type iscsi_client_packet_t; - ') - - dontaudit $1 iscsi_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_iscsi_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive iscsi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_iscsi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_iscsi_client_packets'($*)) dnl - - corenet_send_iscsi_client_packets($1) - corenet_receive_iscsi_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_iscsi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive iscsi_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_iscsi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_iscsi_client_packets'($*)) dnl - - corenet_dontaudit_send_iscsi_client_packets($1) - corenet_dontaudit_receive_iscsi_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_iscsi_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to iscsi_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_iscsi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_iscsi_client_packets'($*)) dnl - - gen_require(` - type iscsi_client_packet_t; - ') - - allow $1 iscsi_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_iscsi_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send iscsi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_iscsi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_iscsi_server_packets'($*)) dnl - - gen_require(` - type iscsi_server_packet_t; - ') - - allow $1 iscsi_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_iscsi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send iscsi_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_iscsi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_iscsi_server_packets'($*)) dnl - - gen_require(` - type iscsi_server_packet_t; - ') - - dontaudit $1 iscsi_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_iscsi_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive iscsi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_iscsi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_iscsi_server_packets'($*)) dnl - - gen_require(` - type iscsi_server_packet_t; - ') - - allow $1 iscsi_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_iscsi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive iscsi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_iscsi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_iscsi_server_packets'($*)) dnl - - gen_require(` - type iscsi_server_packet_t; - ') - - dontaudit $1 iscsi_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_iscsi_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive iscsi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_iscsi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_iscsi_server_packets'($*)) dnl - - corenet_send_iscsi_server_packets($1) - corenet_receive_iscsi_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_iscsi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive iscsi_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_iscsi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_iscsi_server_packets'($*)) dnl - - corenet_dontaudit_send_iscsi_server_packets($1) - corenet_dontaudit_receive_iscsi_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_iscsi_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to iscsi_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_iscsi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_iscsi_server_packets'($*)) dnl - - gen_require(` - type iscsi_server_packet_t; - ') - - allow $1 iscsi_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_iscsi_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the isns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_isns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_isns_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the isns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_isns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_isns_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the isns port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_isns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_isns_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the isns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_isns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_isns_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the isns port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_isns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_isns_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the isns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_isns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_isns_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the isns port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_isns_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_isns_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the isns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_isns_port'($*)) dnl - - gen_require(` - type isns_port_t; - ') - - allow $1 isns_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_isns_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the isns port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_isns_port'($*)) dnl - - gen_require(` - type isns_port_t; - ') - - allow $1 isns_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_isns_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the isns port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_isns_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_isns_port'($*)) dnl - - gen_require(` - type isns_port_t; - ') - - allow $1 isns_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_isns_port'($*)) dnl - ') - - - -######################################## -## -## Send isns_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_isns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_isns_client_packets'($*)) dnl - - gen_require(` - type isns_client_packet_t; - ') - - allow $1 isns_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_isns_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send isns_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_isns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isns_client_packets'($*)) dnl - - gen_require(` - type isns_client_packet_t; - ') - - dontaudit $1 isns_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isns_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive isns_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_isns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_isns_client_packets'($*)) dnl - - gen_require(` - type isns_client_packet_t; - ') - - allow $1 isns_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_isns_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive isns_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_isns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isns_client_packets'($*)) dnl - - gen_require(` - type isns_client_packet_t; - ') - - dontaudit $1 isns_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isns_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive isns_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_isns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isns_client_packets'($*)) dnl - - corenet_send_isns_client_packets($1) - corenet_receive_isns_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isns_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive isns_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_isns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isns_client_packets'($*)) dnl - - corenet_dontaudit_send_isns_client_packets($1) - corenet_dontaudit_receive_isns_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isns_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to isns_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_isns_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isns_client_packets'($*)) dnl - - gen_require(` - type isns_client_packet_t; - ') - - allow $1 isns_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_isns_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send isns_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_isns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_isns_server_packets'($*)) dnl - - gen_require(` - type isns_server_packet_t; - ') - - allow $1 isns_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_isns_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send isns_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_isns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isns_server_packets'($*)) dnl - - gen_require(` - type isns_server_packet_t; - ') - - dontaudit $1 isns_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isns_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive isns_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_isns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_isns_server_packets'($*)) dnl - - gen_require(` - type isns_server_packet_t; - ') - - allow $1 isns_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_isns_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive isns_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_isns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isns_server_packets'($*)) dnl - - gen_require(` - type isns_server_packet_t; - ') - - dontaudit $1 isns_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isns_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive isns_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_isns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isns_server_packets'($*)) dnl - - corenet_send_isns_server_packets($1) - corenet_receive_isns_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isns_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive isns_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_isns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isns_server_packets'($*)) dnl - - corenet_dontaudit_send_isns_server_packets($1) - corenet_dontaudit_receive_isns_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isns_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to isns_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_isns_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isns_server_packets'($*)) dnl - - gen_require(` - type isns_server_packet_t; - ') - - allow $1 isns_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_isns_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the jabber_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the jabber_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the jabber_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the jabber_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the jabber_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the jabber_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the jabber_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the jabber_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_client_port'($*)) dnl - - gen_require(` - type jabber_client_port_t; - ') - - allow $1 jabber_client_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the jabber_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_client_port'($*)) dnl - - gen_require(` - type jabber_client_port_t; - ') - - allow $1 jabber_client_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_client_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the jabber_client port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_jabber_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_client_port'($*)) dnl - - gen_require(` - type jabber_client_port_t; - ') - - allow $1 jabber_client_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_client_port'($*)) dnl - ') - - - -######################################## -## -## Send jabber_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_jabber_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_client_client_packets'($*)) dnl - - gen_require(` - type jabber_client_client_packet_t; - ') - - allow $1 jabber_client_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_jabber_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send jabber_client_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_jabber_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_client_client_packets'($*)) dnl - - gen_require(` - type jabber_client_client_packet_t; - ') - - dontaudit $1 jabber_client_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive jabber_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_jabber_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_client_client_packets'($*)) dnl - - gen_require(` - type jabber_client_client_packet_t; - ') - - allow $1 jabber_client_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive jabber_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_jabber_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_client_client_packets'($*)) dnl - - gen_require(` - type jabber_client_client_packet_t; - ') - - dontaudit $1 jabber_client_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive jabber_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_jabber_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_client_client_packets'($*)) dnl - - corenet_send_jabber_client_client_packets($1) - corenet_receive_jabber_client_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive jabber_client_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_jabber_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_client_client_packets'($*)) dnl - - corenet_dontaudit_send_jabber_client_client_packets($1) - corenet_dontaudit_receive_jabber_client_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to jabber_client_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_jabber_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_client_client_packets'($*)) dnl - - gen_require(` - type jabber_client_client_packet_t; - ') - - allow $1 jabber_client_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_client_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send jabber_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_jabber_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_client_server_packets'($*)) dnl - - gen_require(` - type jabber_client_server_packet_t; - ') - - allow $1 jabber_client_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_jabber_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send jabber_client_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_jabber_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_client_server_packets'($*)) dnl - - gen_require(` - type jabber_client_server_packet_t; - ') - - dontaudit $1 jabber_client_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive jabber_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_jabber_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_client_server_packets'($*)) dnl - - gen_require(` - type jabber_client_server_packet_t; - ') - - allow $1 jabber_client_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive jabber_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_jabber_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_client_server_packets'($*)) dnl - - gen_require(` - type jabber_client_server_packet_t; - ') - - dontaudit $1 jabber_client_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive jabber_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_jabber_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_client_server_packets'($*)) dnl - - corenet_send_jabber_client_server_packets($1) - corenet_receive_jabber_client_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive jabber_client_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_jabber_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_client_server_packets'($*)) dnl - - corenet_dontaudit_send_jabber_client_server_packets($1) - corenet_dontaudit_receive_jabber_client_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to jabber_client_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_jabber_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_client_server_packets'($*)) dnl - - gen_require(` - type jabber_client_server_packet_t; - ') - - allow $1 jabber_client_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_client_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the jabber_interserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_interserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the jabber_interserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_interserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the jabber_interserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_interserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the jabber_interserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_interserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the jabber_interserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_interserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the jabber_interserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_interserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the jabber_interserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_interserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the jabber_interserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_interserver_port'($*)) dnl - - gen_require(` - type jabber_interserver_port_t; - ') - - allow $1 jabber_interserver_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the jabber_interserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_interserver_port'($*)) dnl - - gen_require(` - type jabber_interserver_port_t; - ') - - allow $1 jabber_interserver_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_interserver_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the jabber_interserver port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_jabber_interserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_interserver_port'($*)) dnl - - gen_require(` - type jabber_interserver_port_t; - ') - - allow $1 jabber_interserver_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_interserver_port'($*)) dnl - ') - - - -######################################## -## -## Send jabber_interserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_jabber_interserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_interserver_client_packets'($*)) dnl - - gen_require(` - type jabber_interserver_client_packet_t; - ') - - allow $1 jabber_interserver_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_jabber_interserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send jabber_interserver_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_jabber_interserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_interserver_client_packets'($*)) dnl - - gen_require(` - type jabber_interserver_client_packet_t; - ') - - dontaudit $1 jabber_interserver_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_interserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive jabber_interserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_jabber_interserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_interserver_client_packets'($*)) dnl - - gen_require(` - type jabber_interserver_client_packet_t; - ') - - allow $1 jabber_interserver_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_interserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive jabber_interserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_jabber_interserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_interserver_client_packets'($*)) dnl - - gen_require(` - type jabber_interserver_client_packet_t; - ') - - dontaudit $1 jabber_interserver_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_interserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive jabber_interserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_jabber_interserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_interserver_client_packets'($*)) dnl - - corenet_send_jabber_interserver_client_packets($1) - corenet_receive_jabber_interserver_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_interserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive jabber_interserver_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_jabber_interserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_interserver_client_packets'($*)) dnl - - corenet_dontaudit_send_jabber_interserver_client_packets($1) - corenet_dontaudit_receive_jabber_interserver_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_interserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to jabber_interserver_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_jabber_interserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_interserver_client_packets'($*)) dnl - - gen_require(` - type jabber_interserver_client_packet_t; - ') - - allow $1 jabber_interserver_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_interserver_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send jabber_interserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_jabber_interserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_interserver_server_packets'($*)) dnl - - gen_require(` - type jabber_interserver_server_packet_t; - ') - - allow $1 jabber_interserver_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_jabber_interserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send jabber_interserver_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_jabber_interserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_interserver_server_packets'($*)) dnl - - gen_require(` - type jabber_interserver_server_packet_t; - ') - - dontaudit $1 jabber_interserver_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_interserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive jabber_interserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_jabber_interserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_interserver_server_packets'($*)) dnl - - gen_require(` - type jabber_interserver_server_packet_t; - ') - - allow $1 jabber_interserver_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_interserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive jabber_interserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_jabber_interserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_interserver_server_packets'($*)) dnl - - gen_require(` - type jabber_interserver_server_packet_t; - ') - - dontaudit $1 jabber_interserver_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_interserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive jabber_interserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_jabber_interserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_interserver_server_packets'($*)) dnl - - corenet_send_jabber_interserver_server_packets($1) - corenet_receive_jabber_interserver_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_interserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive jabber_interserver_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_jabber_interserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_interserver_server_packets'($*)) dnl - - corenet_dontaudit_send_jabber_interserver_server_packets($1) - corenet_dontaudit_receive_jabber_interserver_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_interserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to jabber_interserver_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_jabber_interserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_interserver_server_packets'($*)) dnl - - gen_require(` - type jabber_interserver_server_packet_t; - ') - - allow $1 jabber_interserver_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_interserver_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the jboss_iiop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jboss_iiop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the jboss_iiop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jboss_iiop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the jboss_iiop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jboss_iiop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the jboss_iiop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jboss_iiop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the jboss_iiop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jboss_iiop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the jboss_iiop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jboss_iiop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the jboss_iiop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jboss_iiop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the jboss_iiop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jboss_iiop_port'($*)) dnl - - gen_require(` - type jboss_iiop_port_t; - ') - - allow $1 jboss_iiop_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the jboss_iiop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jboss_iiop_port'($*)) dnl - - gen_require(` - type jboss_iiop_port_t; - ') - - allow $1 jboss_iiop_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jboss_iiop_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the jboss_iiop port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_jboss_iiop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jboss_iiop_port'($*)) dnl - - gen_require(` - type jboss_iiop_port_t; - ') - - allow $1 jboss_iiop_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jboss_iiop_port'($*)) dnl - ') - - - -######################################## -## -## Send jboss_iiop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_jboss_iiop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_iiop_client_packets'($*)) dnl - - gen_require(` - type jboss_iiop_client_packet_t; - ') - - allow $1 jboss_iiop_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_jboss_iiop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send jboss_iiop_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_jboss_iiop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_iiop_client_packets'($*)) dnl - - gen_require(` - type jboss_iiop_client_packet_t; - ') - - dontaudit $1 jboss_iiop_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_iiop_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive jboss_iiop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_jboss_iiop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_iiop_client_packets'($*)) dnl - - gen_require(` - type jboss_iiop_client_packet_t; - ') - - allow $1 jboss_iiop_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_iiop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive jboss_iiop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_jboss_iiop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_iiop_client_packets'($*)) dnl - - gen_require(` - type jboss_iiop_client_packet_t; - ') - - dontaudit $1 jboss_iiop_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_iiop_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive jboss_iiop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_jboss_iiop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_iiop_client_packets'($*)) dnl - - corenet_send_jboss_iiop_client_packets($1) - corenet_receive_jboss_iiop_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_iiop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive jboss_iiop_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_jboss_iiop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_iiop_client_packets'($*)) dnl - - corenet_dontaudit_send_jboss_iiop_client_packets($1) - corenet_dontaudit_receive_jboss_iiop_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_iiop_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to jboss_iiop_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_jboss_iiop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_iiop_client_packets'($*)) dnl - - gen_require(` - type jboss_iiop_client_packet_t; - ') - - allow $1 jboss_iiop_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_iiop_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send jboss_iiop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_jboss_iiop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_iiop_server_packets'($*)) dnl - - gen_require(` - type jboss_iiop_server_packet_t; - ') - - allow $1 jboss_iiop_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_jboss_iiop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send jboss_iiop_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_jboss_iiop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_iiop_server_packets'($*)) dnl - - gen_require(` - type jboss_iiop_server_packet_t; - ') - - dontaudit $1 jboss_iiop_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_iiop_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive jboss_iiop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_jboss_iiop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_iiop_server_packets'($*)) dnl - - gen_require(` - type jboss_iiop_server_packet_t; - ') - - allow $1 jboss_iiop_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_iiop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive jboss_iiop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_jboss_iiop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_iiop_server_packets'($*)) dnl - - gen_require(` - type jboss_iiop_server_packet_t; - ') - - dontaudit $1 jboss_iiop_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_iiop_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive jboss_iiop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_jboss_iiop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_iiop_server_packets'($*)) dnl - - corenet_send_jboss_iiop_server_packets($1) - corenet_receive_jboss_iiop_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_iiop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive jboss_iiop_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_jboss_iiop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_iiop_server_packets'($*)) dnl - - corenet_dontaudit_send_jboss_iiop_server_packets($1) - corenet_dontaudit_receive_jboss_iiop_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_iiop_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to jboss_iiop_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_jboss_iiop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_iiop_server_packets'($*)) dnl - - gen_require(` - type jboss_iiop_server_packet_t; - ') - - allow $1 jboss_iiop_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_iiop_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the kerberos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the kerberos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the kerberos port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the kerberos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the kerberos port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the kerberos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the kerberos port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the kerberos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_port'($*)) dnl - - gen_require(` - type kerberos_port_t; - ') - - allow $1 kerberos_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the kerberos port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_port'($*)) dnl - - gen_require(` - type kerberos_port_t; - ') - - allow $1 kerberos_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the kerberos port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_kerberos_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_port'($*)) dnl - - gen_require(` - type kerberos_port_t; - ') - - allow $1 kerberos_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_port'($*)) dnl - ') - - - -######################################## -## -## Send kerberos_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kerberos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_client_packets'($*)) dnl - - gen_require(` - type kerberos_client_packet_t; - ') - - allow $1 kerberos_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kerberos_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kerberos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_client_packets'($*)) dnl - - gen_require(` - type kerberos_client_packet_t; - ') - - dontaudit $1 kerberos_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive kerberos_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kerberos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_client_packets'($*)) dnl - - gen_require(` - type kerberos_client_packet_t; - ') - - allow $1 kerberos_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kerberos_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kerberos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_client_packets'($*)) dnl - - gen_require(` - type kerberos_client_packet_t; - ') - - dontaudit $1 kerberos_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kerberos_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kerberos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_client_packets'($*)) dnl - - corenet_send_kerberos_client_packets($1) - corenet_receive_kerberos_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kerberos_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kerberos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_client_packets'($*)) dnl - - corenet_dontaudit_send_kerberos_client_packets($1) - corenet_dontaudit_receive_kerberos_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kerberos_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kerberos_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_client_packets'($*)) dnl - - gen_require(` - type kerberos_client_packet_t; - ') - - allow $1 kerberos_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send kerberos_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kerberos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_server_packets'($*)) dnl - - gen_require(` - type kerberos_server_packet_t; - ') - - allow $1 kerberos_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kerberos_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kerberos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_server_packets'($*)) dnl - - gen_require(` - type kerberos_server_packet_t; - ') - - dontaudit $1 kerberos_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive kerberos_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kerberos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_server_packets'($*)) dnl - - gen_require(` - type kerberos_server_packet_t; - ') - - allow $1 kerberos_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kerberos_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kerberos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_server_packets'($*)) dnl - - gen_require(` - type kerberos_server_packet_t; - ') - - dontaudit $1 kerberos_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kerberos_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kerberos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_server_packets'($*)) dnl - - corenet_send_kerberos_server_packets($1) - corenet_receive_kerberos_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kerberos_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kerberos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_server_packets'($*)) dnl - - corenet_dontaudit_send_kerberos_server_packets($1) - corenet_dontaudit_receive_kerberos_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kerberos_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kerberos_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_server_packets'($*)) dnl - - gen_require(` - type kerberos_server_packet_t; - ') - - allow $1 kerberos_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the kerberos_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the kerberos_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the kerberos_admin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the kerberos_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the kerberos_admin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the kerberos_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the kerberos_admin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the kerberos_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_admin_port'($*)) dnl - - gen_require(` - type kerberos_admin_port_t; - ') - - allow $1 kerberos_admin_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the kerberos_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_admin_port'($*)) dnl - - gen_require(` - type kerberos_admin_port_t; - ') - - allow $1 kerberos_admin_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_admin_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the kerberos_admin port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_kerberos_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_admin_port'($*)) dnl - - gen_require(` - type kerberos_admin_port_t; - ') - - allow $1 kerberos_admin_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_admin_port'($*)) dnl - ') - - - -######################################## -## -## Send kerberos_admin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kerberos_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_admin_client_packets'($*)) dnl - - gen_require(` - type kerberos_admin_client_packet_t; - ') - - allow $1 kerberos_admin_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kerberos_admin_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kerberos_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_admin_client_packets'($*)) dnl - - gen_require(` - type kerberos_admin_client_packet_t; - ') - - dontaudit $1 kerberos_admin_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive kerberos_admin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kerberos_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_admin_client_packets'($*)) dnl - - gen_require(` - type kerberos_admin_client_packet_t; - ') - - allow $1 kerberos_admin_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kerberos_admin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kerberos_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_admin_client_packets'($*)) dnl - - gen_require(` - type kerberos_admin_client_packet_t; - ') - - dontaudit $1 kerberos_admin_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kerberos_admin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kerberos_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_admin_client_packets'($*)) dnl - - corenet_send_kerberos_admin_client_packets($1) - corenet_receive_kerberos_admin_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kerberos_admin_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kerberos_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_admin_client_packets'($*)) dnl - - corenet_dontaudit_send_kerberos_admin_client_packets($1) - corenet_dontaudit_receive_kerberos_admin_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kerberos_admin_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kerberos_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_admin_client_packets'($*)) dnl - - gen_require(` - type kerberos_admin_client_packet_t; - ') - - allow $1 kerberos_admin_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_admin_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send kerberos_admin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kerberos_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_admin_server_packets'($*)) dnl - - gen_require(` - type kerberos_admin_server_packet_t; - ') - - allow $1 kerberos_admin_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kerberos_admin_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kerberos_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_admin_server_packets'($*)) dnl - - gen_require(` - type kerberos_admin_server_packet_t; - ') - - dontaudit $1 kerberos_admin_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive kerberos_admin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kerberos_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_admin_server_packets'($*)) dnl - - gen_require(` - type kerberos_admin_server_packet_t; - ') - - allow $1 kerberos_admin_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kerberos_admin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kerberos_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_admin_server_packets'($*)) dnl - - gen_require(` - type kerberos_admin_server_packet_t; - ') - - dontaudit $1 kerberos_admin_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kerberos_admin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kerberos_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_admin_server_packets'($*)) dnl - - corenet_send_kerberos_admin_server_packets($1) - corenet_receive_kerberos_admin_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kerberos_admin_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kerberos_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_admin_server_packets'($*)) dnl - - corenet_dontaudit_send_kerberos_admin_server_packets($1) - corenet_dontaudit_receive_kerberos_admin_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kerberos_admin_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kerberos_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_admin_server_packets'($*)) dnl - - gen_require(` - type kerberos_admin_server_packet_t; - ') - - allow $1 kerberos_admin_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_admin_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the kerberos_master port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_master_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the kerberos_master port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_master_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the kerberos_master port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_master_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the kerberos_master port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_master_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the kerberos_master port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_master_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the kerberos_master port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_master_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the kerberos_master port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_master_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the kerberos_master port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_master_port'($*)) dnl - - gen_require(` - type kerberos_master_port_t; - ') - - allow $1 kerberos_master_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the kerberos_master port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_master_port'($*)) dnl - - gen_require(` - type kerberos_master_port_t; - ') - - allow $1 kerberos_master_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_master_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the kerberos_master port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_kerberos_master_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_master_port'($*)) dnl - - gen_require(` - type kerberos_master_port_t; - ') - - allow $1 kerberos_master_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_master_port'($*)) dnl - ') - - - -######################################## -## -## Send kerberos_master_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kerberos_master_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_master_client_packets'($*)) dnl - - gen_require(` - type kerberos_master_client_packet_t; - ') - - allow $1 kerberos_master_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_master_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kerberos_master_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kerberos_master_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_master_client_packets'($*)) dnl - - gen_require(` - type kerberos_master_client_packet_t; - ') - - dontaudit $1 kerberos_master_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_master_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive kerberos_master_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kerberos_master_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_master_client_packets'($*)) dnl - - gen_require(` - type kerberos_master_client_packet_t; - ') - - allow $1 kerberos_master_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_master_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kerberos_master_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kerberos_master_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_master_client_packets'($*)) dnl - - gen_require(` - type kerberos_master_client_packet_t; - ') - - dontaudit $1 kerberos_master_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_master_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kerberos_master_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kerberos_master_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_master_client_packets'($*)) dnl - - corenet_send_kerberos_master_client_packets($1) - corenet_receive_kerberos_master_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_master_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kerberos_master_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kerberos_master_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_master_client_packets'($*)) dnl - - corenet_dontaudit_send_kerberos_master_client_packets($1) - corenet_dontaudit_receive_kerberos_master_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_master_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kerberos_master_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kerberos_master_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_master_client_packets'($*)) dnl - - gen_require(` - type kerberos_master_client_packet_t; - ') - - allow $1 kerberos_master_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_master_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send kerberos_master_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kerberos_master_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_master_server_packets'($*)) dnl - - gen_require(` - type kerberos_master_server_packet_t; - ') - - allow $1 kerberos_master_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_master_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kerberos_master_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kerberos_master_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_master_server_packets'($*)) dnl - - gen_require(` - type kerberos_master_server_packet_t; - ') - - dontaudit $1 kerberos_master_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_master_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive kerberos_master_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kerberos_master_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_master_server_packets'($*)) dnl - - gen_require(` - type kerberos_master_server_packet_t; - ') - - allow $1 kerberos_master_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_master_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kerberos_master_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kerberos_master_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_master_server_packets'($*)) dnl - - gen_require(` - type kerberos_master_server_packet_t; - ') - - dontaudit $1 kerberos_master_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_master_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kerberos_master_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kerberos_master_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_master_server_packets'($*)) dnl - - corenet_send_kerberos_master_server_packets($1) - corenet_receive_kerberos_master_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_master_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kerberos_master_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kerberos_master_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_master_server_packets'($*)) dnl - - corenet_dontaudit_send_kerberos_master_server_packets($1) - corenet_dontaudit_receive_kerberos_master_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_master_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kerberos_master_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kerberos_master_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_master_server_packets'($*)) dnl - - gen_require(` - type kerberos_master_server_packet_t; - ') - - allow $1 kerberos_master_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_master_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the kismet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kismet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kismet_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the kismet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kismet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_kismet_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the kismet port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kismet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kismet_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the kismet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kismet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kismet_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the kismet port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kismet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kismet_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the kismet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kismet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kismet_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the kismet port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kismet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kismet_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the kismet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kismet_port'($*)) dnl - - gen_require(` - type kismet_port_t; - ') - - allow $1 kismet_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kismet_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the kismet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kismet_port'($*)) dnl - - gen_require(` - type kismet_port_t; - ') - - allow $1 kismet_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kismet_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the kismet port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_kismet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kismet_port'($*)) dnl - - gen_require(` - type kismet_port_t; - ') - - allow $1 kismet_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kismet_port'($*)) dnl - ') - - - -######################################## -## -## Send kismet_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kismet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kismet_client_packets'($*)) dnl - - gen_require(` - type kismet_client_packet_t; - ') - - allow $1 kismet_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kismet_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kismet_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kismet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kismet_client_packets'($*)) dnl - - gen_require(` - type kismet_client_packet_t; - ') - - dontaudit $1 kismet_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kismet_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive kismet_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kismet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kismet_client_packets'($*)) dnl - - gen_require(` - type kismet_client_packet_t; - ') - - allow $1 kismet_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kismet_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kismet_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kismet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kismet_client_packets'($*)) dnl - - gen_require(` - type kismet_client_packet_t; - ') - - dontaudit $1 kismet_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kismet_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kismet_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kismet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kismet_client_packets'($*)) dnl - - corenet_send_kismet_client_packets($1) - corenet_receive_kismet_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kismet_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kismet_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kismet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kismet_client_packets'($*)) dnl - - corenet_dontaudit_send_kismet_client_packets($1) - corenet_dontaudit_receive_kismet_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kismet_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kismet_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kismet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kismet_client_packets'($*)) dnl - - gen_require(` - type kismet_client_packet_t; - ') - - allow $1 kismet_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kismet_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send kismet_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kismet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kismet_server_packets'($*)) dnl - - gen_require(` - type kismet_server_packet_t; - ') - - allow $1 kismet_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kismet_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kismet_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kismet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kismet_server_packets'($*)) dnl - - gen_require(` - type kismet_server_packet_t; - ') - - dontaudit $1 kismet_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kismet_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive kismet_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kismet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kismet_server_packets'($*)) dnl - - gen_require(` - type kismet_server_packet_t; - ') - - allow $1 kismet_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kismet_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kismet_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kismet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kismet_server_packets'($*)) dnl - - gen_require(` - type kismet_server_packet_t; - ') - - dontaudit $1 kismet_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kismet_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kismet_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kismet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kismet_server_packets'($*)) dnl - - corenet_send_kismet_server_packets($1) - corenet_receive_kismet_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kismet_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kismet_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kismet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kismet_server_packets'($*)) dnl - - corenet_dontaudit_send_kismet_server_packets($1) - corenet_dontaudit_receive_kismet_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kismet_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kismet_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kismet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kismet_server_packets'($*)) dnl - - gen_require(` - type kismet_server_packet_t; - ') - - allow $1 kismet_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kismet_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the kdeconnect port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kdeconnect_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the kdeconnect port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kdeconnect_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the kdeconnect port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kdeconnect_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the kdeconnect port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kdeconnect_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the kdeconnect port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kdeconnect_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the kdeconnect port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kdeconnect_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the kdeconnect port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kdeconnect_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the kdeconnect port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kdeconnect_port'($*)) dnl - - gen_require(` - type kdeconnect_port_t; - ') - - allow $1 kdeconnect_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the kdeconnect port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kdeconnect_port'($*)) dnl - - gen_require(` - type kdeconnect_port_t; - ') - - allow $1 kdeconnect_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kdeconnect_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the kdeconnect port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_kdeconnect_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kdeconnect_port'($*)) dnl - - gen_require(` - type kdeconnect_port_t; - ') - - allow $1 kdeconnect_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kdeconnect_port'($*)) dnl - ') - - - -######################################## -## -## Send kdeconnect_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kdeconnect_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kdeconnect_client_packets'($*)) dnl - - gen_require(` - type kdeconnect_client_packet_t; - ') - - allow $1 kdeconnect_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kdeconnect_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kdeconnect_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kdeconnect_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kdeconnect_client_packets'($*)) dnl - - gen_require(` - type kdeconnect_client_packet_t; - ') - - dontaudit $1 kdeconnect_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kdeconnect_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive kdeconnect_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kdeconnect_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kdeconnect_client_packets'($*)) dnl - - gen_require(` - type kdeconnect_client_packet_t; - ') - - allow $1 kdeconnect_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kdeconnect_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kdeconnect_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kdeconnect_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kdeconnect_client_packets'($*)) dnl - - gen_require(` - type kdeconnect_client_packet_t; - ') - - dontaudit $1 kdeconnect_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kdeconnect_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kdeconnect_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kdeconnect_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kdeconnect_client_packets'($*)) dnl - - corenet_send_kdeconnect_client_packets($1) - corenet_receive_kdeconnect_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kdeconnect_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kdeconnect_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kdeconnect_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kdeconnect_client_packets'($*)) dnl - - corenet_dontaudit_send_kdeconnect_client_packets($1) - corenet_dontaudit_receive_kdeconnect_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kdeconnect_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kdeconnect_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kdeconnect_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kdeconnect_client_packets'($*)) dnl - - gen_require(` - type kdeconnect_client_packet_t; - ') - - allow $1 kdeconnect_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kdeconnect_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send kdeconnect_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kdeconnect_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kdeconnect_server_packets'($*)) dnl - - gen_require(` - type kdeconnect_server_packet_t; - ') - - allow $1 kdeconnect_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kdeconnect_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kdeconnect_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kdeconnect_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kdeconnect_server_packets'($*)) dnl - - gen_require(` - type kdeconnect_server_packet_t; - ') - - dontaudit $1 kdeconnect_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kdeconnect_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive kdeconnect_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kdeconnect_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kdeconnect_server_packets'($*)) dnl - - gen_require(` - type kdeconnect_server_packet_t; - ') - - allow $1 kdeconnect_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kdeconnect_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kdeconnect_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kdeconnect_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kdeconnect_server_packets'($*)) dnl - - gen_require(` - type kdeconnect_server_packet_t; - ') - - dontaudit $1 kdeconnect_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kdeconnect_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kdeconnect_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kdeconnect_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kdeconnect_server_packets'($*)) dnl - - corenet_send_kdeconnect_server_packets($1) - corenet_receive_kdeconnect_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kdeconnect_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kdeconnect_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kdeconnect_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kdeconnect_server_packets'($*)) dnl - - corenet_dontaudit_send_kdeconnect_server_packets($1) - corenet_dontaudit_receive_kdeconnect_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kdeconnect_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kdeconnect_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kdeconnect_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kdeconnect_server_packets'($*)) dnl - - gen_require(` - type kdeconnect_server_packet_t; - ') - - allow $1 kdeconnect_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kdeconnect_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the kprop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kprop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kprop_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the kprop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kprop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_kprop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the kprop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kprop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kprop_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the kprop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kprop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kprop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the kprop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kprop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kprop_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the kprop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kprop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kprop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the kprop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kprop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kprop_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the kprop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kprop_port'($*)) dnl - - gen_require(` - type kprop_port_t; - ') - - allow $1 kprop_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kprop_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the kprop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kprop_port'($*)) dnl - - gen_require(` - type kprop_port_t; - ') - - allow $1 kprop_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kprop_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the kprop port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_kprop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kprop_port'($*)) dnl - - gen_require(` - type kprop_port_t; - ') - - allow $1 kprop_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kprop_port'($*)) dnl - ') - - - -######################################## -## -## Send kprop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kprop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kprop_client_packets'($*)) dnl - - gen_require(` - type kprop_client_packet_t; - ') - - allow $1 kprop_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kprop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kprop_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kprop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kprop_client_packets'($*)) dnl - - gen_require(` - type kprop_client_packet_t; - ') - - dontaudit $1 kprop_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kprop_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive kprop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kprop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kprop_client_packets'($*)) dnl - - gen_require(` - type kprop_client_packet_t; - ') - - allow $1 kprop_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kprop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kprop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kprop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kprop_client_packets'($*)) dnl - - gen_require(` - type kprop_client_packet_t; - ') - - dontaudit $1 kprop_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kprop_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kprop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kprop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kprop_client_packets'($*)) dnl - - corenet_send_kprop_client_packets($1) - corenet_receive_kprop_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kprop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kprop_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kprop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kprop_client_packets'($*)) dnl - - corenet_dontaudit_send_kprop_client_packets($1) - corenet_dontaudit_receive_kprop_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kprop_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kprop_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kprop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kprop_client_packets'($*)) dnl - - gen_require(` - type kprop_client_packet_t; - ') - - allow $1 kprop_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kprop_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send kprop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_kprop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_kprop_server_packets'($*)) dnl - - gen_require(` - type kprop_server_packet_t; - ') - - allow $1 kprop_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_kprop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kprop_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_kprop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kprop_server_packets'($*)) dnl - - gen_require(` - type kprop_server_packet_t; - ') - - dontaudit $1 kprop_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kprop_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive kprop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_kprop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_kprop_server_packets'($*)) dnl - - gen_require(` - type kprop_server_packet_t; - ') - - allow $1 kprop_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_kprop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive kprop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_kprop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kprop_server_packets'($*)) dnl - - gen_require(` - type kprop_server_packet_t; - ') - - dontaudit $1 kprop_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kprop_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive kprop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_kprop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kprop_server_packets'($*)) dnl - - corenet_send_kprop_server_packets($1) - corenet_receive_kprop_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kprop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive kprop_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_kprop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kprop_server_packets'($*)) dnl - - corenet_dontaudit_send_kprop_server_packets($1) - corenet_dontaudit_receive_kprop_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kprop_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to kprop_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_kprop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kprop_server_packets'($*)) dnl - - gen_require(` - type kprop_server_packet_t; - ') - - allow $1 kprop_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_kprop_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ktalkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ktalkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ktalkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ktalkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ktalkd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ktalkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ktalkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ktalkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ktalkd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ktalkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ktalkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ktalkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ktalkd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ktalkd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ktalkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ktalkd_port'($*)) dnl - - gen_require(` - type ktalkd_port_t; - ') - - allow $1 ktalkd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ktalkd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ktalkd_port'($*)) dnl - - gen_require(` - type ktalkd_port_t; - ') - - allow $1 ktalkd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ktalkd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ktalkd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ktalkd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ktalkd_port'($*)) dnl - - gen_require(` - type ktalkd_port_t; - ') - - allow $1 ktalkd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ktalkd_port'($*)) dnl - ') - - - -######################################## -## -## Send ktalkd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ktalkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ktalkd_client_packets'($*)) dnl - - gen_require(` - type ktalkd_client_packet_t; - ') - - allow $1 ktalkd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ktalkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ktalkd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ktalkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ktalkd_client_packets'($*)) dnl - - gen_require(` - type ktalkd_client_packet_t; - ') - - dontaudit $1 ktalkd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ktalkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ktalkd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ktalkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ktalkd_client_packets'($*)) dnl - - gen_require(` - type ktalkd_client_packet_t; - ') - - allow $1 ktalkd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ktalkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ktalkd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ktalkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ktalkd_client_packets'($*)) dnl - - gen_require(` - type ktalkd_client_packet_t; - ') - - dontaudit $1 ktalkd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ktalkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ktalkd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ktalkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ktalkd_client_packets'($*)) dnl - - corenet_send_ktalkd_client_packets($1) - corenet_receive_ktalkd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ktalkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ktalkd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ktalkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ktalkd_client_packets'($*)) dnl - - corenet_dontaudit_send_ktalkd_client_packets($1) - corenet_dontaudit_receive_ktalkd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ktalkd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ktalkd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ktalkd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ktalkd_client_packets'($*)) dnl - - gen_require(` - type ktalkd_client_packet_t; - ') - - allow $1 ktalkd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ktalkd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ktalkd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ktalkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ktalkd_server_packets'($*)) dnl - - gen_require(` - type ktalkd_server_packet_t; - ') - - allow $1 ktalkd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ktalkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ktalkd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ktalkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ktalkd_server_packets'($*)) dnl - - gen_require(` - type ktalkd_server_packet_t; - ') - - dontaudit $1 ktalkd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ktalkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ktalkd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ktalkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ktalkd_server_packets'($*)) dnl - - gen_require(` - type ktalkd_server_packet_t; - ') - - allow $1 ktalkd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ktalkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ktalkd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ktalkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ktalkd_server_packets'($*)) dnl - - gen_require(` - type ktalkd_server_packet_t; - ') - - dontaudit $1 ktalkd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ktalkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ktalkd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ktalkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ktalkd_server_packets'($*)) dnl - - corenet_send_ktalkd_server_packets($1) - corenet_receive_ktalkd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ktalkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ktalkd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ktalkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ktalkd_server_packets'($*)) dnl - - corenet_dontaudit_send_ktalkd_server_packets($1) - corenet_dontaudit_receive_ktalkd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ktalkd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ktalkd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ktalkd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ktalkd_server_packets'($*)) dnl - - gen_require(` - type ktalkd_server_packet_t; - ') - - allow $1 ktalkd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ktalkd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the l2tp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_l2tp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the l2tp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_l2tp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the l2tp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_l2tp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the l2tp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_l2tp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the l2tp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_l2tp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the l2tp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_l2tp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the l2tp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_l2tp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the l2tp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_l2tp_port'($*)) dnl - - gen_require(` - type l2tp_port_t; - ') - - allow $1 l2tp_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the l2tp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_l2tp_port'($*)) dnl - - gen_require(` - type l2tp_port_t; - ') - - allow $1 l2tp_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_l2tp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the l2tp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_l2tp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_l2tp_port'($*)) dnl - - gen_require(` - type l2tp_port_t; - ') - - allow $1 l2tp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_l2tp_port'($*)) dnl - ') - - - -######################################## -## -## Send l2tp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_l2tp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_l2tp_client_packets'($*)) dnl - - gen_require(` - type l2tp_client_packet_t; - ') - - allow $1 l2tp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_l2tp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send l2tp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_l2tp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_l2tp_client_packets'($*)) dnl - - gen_require(` - type l2tp_client_packet_t; - ') - - dontaudit $1 l2tp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_l2tp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive l2tp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_l2tp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_l2tp_client_packets'($*)) dnl - - gen_require(` - type l2tp_client_packet_t; - ') - - allow $1 l2tp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_l2tp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive l2tp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_l2tp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_l2tp_client_packets'($*)) dnl - - gen_require(` - type l2tp_client_packet_t; - ') - - dontaudit $1 l2tp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_l2tp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive l2tp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_l2tp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_l2tp_client_packets'($*)) dnl - - corenet_send_l2tp_client_packets($1) - corenet_receive_l2tp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_l2tp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive l2tp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_l2tp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_l2tp_client_packets'($*)) dnl - - corenet_dontaudit_send_l2tp_client_packets($1) - corenet_dontaudit_receive_l2tp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_l2tp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to l2tp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_l2tp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_l2tp_client_packets'($*)) dnl - - gen_require(` - type l2tp_client_packet_t; - ') - - allow $1 l2tp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_l2tp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send l2tp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_l2tp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_l2tp_server_packets'($*)) dnl - - gen_require(` - type l2tp_server_packet_t; - ') - - allow $1 l2tp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_l2tp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send l2tp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_l2tp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_l2tp_server_packets'($*)) dnl - - gen_require(` - type l2tp_server_packet_t; - ') - - dontaudit $1 l2tp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_l2tp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive l2tp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_l2tp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_l2tp_server_packets'($*)) dnl - - gen_require(` - type l2tp_server_packet_t; - ') - - allow $1 l2tp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_l2tp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive l2tp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_l2tp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_l2tp_server_packets'($*)) dnl - - gen_require(` - type l2tp_server_packet_t; - ') - - dontaudit $1 l2tp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_l2tp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive l2tp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_l2tp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_l2tp_server_packets'($*)) dnl - - corenet_send_l2tp_server_packets($1) - corenet_receive_l2tp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_l2tp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive l2tp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_l2tp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_l2tp_server_packets'($*)) dnl - - corenet_dontaudit_send_l2tp_server_packets($1) - corenet_dontaudit_receive_l2tp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_l2tp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to l2tp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_l2tp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_l2tp_server_packets'($*)) dnl - - gen_require(` - type l2tp_server_packet_t; - ') - - allow $1 l2tp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_l2tp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ldap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ldap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ldap_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ldap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ldap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ldap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ldap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ldap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ldap_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ldap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ldap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ldap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ldap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ldap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ldap_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ldap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ldap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ldap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ldap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ldap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ldap_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ldap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ldap_port'($*)) dnl - - gen_require(` - type ldap_port_t; - ') - - allow $1 ldap_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ldap_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ldap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ldap_port'($*)) dnl - - gen_require(` - type ldap_port_t; - ') - - allow $1 ldap_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ldap_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ldap port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ldap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ldap_port'($*)) dnl - - gen_require(` - type ldap_port_t; - ') - - allow $1 ldap_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ldap_port'($*)) dnl - ') - - - -######################################## -## -## Send ldap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ldap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ldap_client_packets'($*)) dnl - - gen_require(` - type ldap_client_packet_t; - ') - - allow $1 ldap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ldap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ldap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ldap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ldap_client_packets'($*)) dnl - - gen_require(` - type ldap_client_packet_t; - ') - - dontaudit $1 ldap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ldap_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ldap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ldap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ldap_client_packets'($*)) dnl - - gen_require(` - type ldap_client_packet_t; - ') - - allow $1 ldap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ldap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ldap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ldap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ldap_client_packets'($*)) dnl - - gen_require(` - type ldap_client_packet_t; - ') - - dontaudit $1 ldap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ldap_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ldap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ldap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ldap_client_packets'($*)) dnl - - corenet_send_ldap_client_packets($1) - corenet_receive_ldap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ldap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ldap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ldap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ldap_client_packets'($*)) dnl - - corenet_dontaudit_send_ldap_client_packets($1) - corenet_dontaudit_receive_ldap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ldap_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ldap_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ldap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ldap_client_packets'($*)) dnl - - gen_require(` - type ldap_client_packet_t; - ') - - allow $1 ldap_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ldap_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ldap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ldap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ldap_server_packets'($*)) dnl - - gen_require(` - type ldap_server_packet_t; - ') - - allow $1 ldap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ldap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ldap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ldap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ldap_server_packets'($*)) dnl - - gen_require(` - type ldap_server_packet_t; - ') - - dontaudit $1 ldap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ldap_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ldap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ldap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ldap_server_packets'($*)) dnl - - gen_require(` - type ldap_server_packet_t; - ') - - allow $1 ldap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ldap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ldap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ldap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ldap_server_packets'($*)) dnl - - gen_require(` - type ldap_server_packet_t; - ') - - dontaudit $1 ldap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ldap_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ldap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ldap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ldap_server_packets'($*)) dnl - - corenet_send_ldap_server_packets($1) - corenet_receive_ldap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ldap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ldap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ldap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ldap_server_packets'($*)) dnl - - corenet_dontaudit_send_ldap_server_packets($1) - corenet_dontaudit_receive_ldap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ldap_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ldap_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ldap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ldap_server_packets'($*)) dnl - - gen_require(` - type ldap_server_packet_t; - ') - - allow $1 ldap_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ldap_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the lirc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lirc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lirc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the lirc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lirc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_lirc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the lirc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lirc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lirc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the lirc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lirc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lirc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the lirc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lirc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lirc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the lirc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lirc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lirc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the lirc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lirc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lirc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the lirc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lirc_port'($*)) dnl - - gen_require(` - type lirc_port_t; - ') - - allow $1 lirc_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lirc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the lirc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lirc_port'($*)) dnl - - gen_require(` - type lirc_port_t; - ') - - allow $1 lirc_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lirc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the lirc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_lirc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lirc_port'($*)) dnl - - gen_require(` - type lirc_port_t; - ') - - allow $1 lirc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lirc_port'($*)) dnl - ') - - - -######################################## -## -## Send lirc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_lirc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_lirc_client_packets'($*)) dnl - - gen_require(` - type lirc_client_packet_t; - ') - - allow $1 lirc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_lirc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send lirc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_lirc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lirc_client_packets'($*)) dnl - - gen_require(` - type lirc_client_packet_t; - ') - - dontaudit $1 lirc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lirc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive lirc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_lirc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_lirc_client_packets'($*)) dnl - - gen_require(` - type lirc_client_packet_t; - ') - - allow $1 lirc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_lirc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive lirc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_lirc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lirc_client_packets'($*)) dnl - - gen_require(` - type lirc_client_packet_t; - ') - - dontaudit $1 lirc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lirc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive lirc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_lirc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lirc_client_packets'($*)) dnl - - corenet_send_lirc_client_packets($1) - corenet_receive_lirc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lirc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive lirc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_lirc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lirc_client_packets'($*)) dnl - - corenet_dontaudit_send_lirc_client_packets($1) - corenet_dontaudit_receive_lirc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lirc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to lirc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_lirc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lirc_client_packets'($*)) dnl - - gen_require(` - type lirc_client_packet_t; - ') - - allow $1 lirc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_lirc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send lirc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_lirc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_lirc_server_packets'($*)) dnl - - gen_require(` - type lirc_server_packet_t; - ') - - allow $1 lirc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_lirc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send lirc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_lirc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lirc_server_packets'($*)) dnl - - gen_require(` - type lirc_server_packet_t; - ') - - dontaudit $1 lirc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lirc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive lirc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_lirc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_lirc_server_packets'($*)) dnl - - gen_require(` - type lirc_server_packet_t; - ') - - allow $1 lirc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_lirc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive lirc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_lirc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lirc_server_packets'($*)) dnl - - gen_require(` - type lirc_server_packet_t; - ') - - dontaudit $1 lirc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lirc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive lirc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_lirc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lirc_server_packets'($*)) dnl - - corenet_send_lirc_server_packets($1) - corenet_receive_lirc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lirc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive lirc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_lirc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lirc_server_packets'($*)) dnl - - corenet_dontaudit_send_lirc_server_packets($1) - corenet_dontaudit_receive_lirc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lirc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to lirc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_lirc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lirc_server_packets'($*)) dnl - - gen_require(` - type lirc_server_packet_t; - ') - - allow $1 lirc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_lirc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the llmnr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_llmnr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the llmnr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_llmnr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the llmnr port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_llmnr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the llmnr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_llmnr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the llmnr port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_llmnr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the llmnr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_llmnr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the llmnr port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_llmnr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the llmnr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_llmnr_port'($*)) dnl - - gen_require(` - type llmnr_port_t; - ') - - allow $1 llmnr_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the llmnr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_llmnr_port'($*)) dnl - - gen_require(` - type llmnr_port_t; - ') - - allow $1 llmnr_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_llmnr_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the llmnr port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_llmnr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_llmnr_port'($*)) dnl - - gen_require(` - type llmnr_port_t; - ') - - allow $1 llmnr_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_llmnr_port'($*)) dnl - ') - - - -######################################## -## -## Send llmnr_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_llmnr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_llmnr_client_packets'($*)) dnl - - gen_require(` - type llmnr_client_packet_t; - ') - - allow $1 llmnr_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_llmnr_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send llmnr_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_llmnr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_llmnr_client_packets'($*)) dnl - - gen_require(` - type llmnr_client_packet_t; - ') - - dontaudit $1 llmnr_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_llmnr_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive llmnr_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_llmnr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_llmnr_client_packets'($*)) dnl - - gen_require(` - type llmnr_client_packet_t; - ') - - allow $1 llmnr_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_llmnr_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive llmnr_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_llmnr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_llmnr_client_packets'($*)) dnl - - gen_require(` - type llmnr_client_packet_t; - ') - - dontaudit $1 llmnr_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_llmnr_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive llmnr_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_llmnr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_llmnr_client_packets'($*)) dnl - - corenet_send_llmnr_client_packets($1) - corenet_receive_llmnr_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_llmnr_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive llmnr_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_llmnr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_llmnr_client_packets'($*)) dnl - - corenet_dontaudit_send_llmnr_client_packets($1) - corenet_dontaudit_receive_llmnr_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_llmnr_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to llmnr_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_llmnr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_llmnr_client_packets'($*)) dnl - - gen_require(` - type llmnr_client_packet_t; - ') - - allow $1 llmnr_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_llmnr_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send llmnr_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_llmnr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_llmnr_server_packets'($*)) dnl - - gen_require(` - type llmnr_server_packet_t; - ') - - allow $1 llmnr_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_llmnr_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send llmnr_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_llmnr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_llmnr_server_packets'($*)) dnl - - gen_require(` - type llmnr_server_packet_t; - ') - - dontaudit $1 llmnr_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_llmnr_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive llmnr_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_llmnr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_llmnr_server_packets'($*)) dnl - - gen_require(` - type llmnr_server_packet_t; - ') - - allow $1 llmnr_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_llmnr_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive llmnr_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_llmnr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_llmnr_server_packets'($*)) dnl - - gen_require(` - type llmnr_server_packet_t; - ') - - dontaudit $1 llmnr_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_llmnr_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive llmnr_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_llmnr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_llmnr_server_packets'($*)) dnl - - corenet_send_llmnr_server_packets($1) - corenet_receive_llmnr_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_llmnr_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive llmnr_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_llmnr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_llmnr_server_packets'($*)) dnl - - corenet_dontaudit_send_llmnr_server_packets($1) - corenet_dontaudit_receive_llmnr_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_llmnr_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to llmnr_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_llmnr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_llmnr_server_packets'($*)) dnl - - gen_require(` - type llmnr_server_packet_t; - ') - - allow $1 llmnr_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_llmnr_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the lmtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lmtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the lmtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lmtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the lmtp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lmtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the lmtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lmtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the lmtp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lmtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the lmtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lmtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the lmtp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lmtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the lmtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lmtp_port'($*)) dnl - - gen_require(` - type lmtp_port_t; - ') - - allow $1 lmtp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the lmtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lmtp_port'($*)) dnl - - gen_require(` - type lmtp_port_t; - ') - - allow $1 lmtp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lmtp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the lmtp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_lmtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lmtp_port'($*)) dnl - - gen_require(` - type lmtp_port_t; - ') - - allow $1 lmtp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lmtp_port'($*)) dnl - ') - - - -######################################## -## -## Send lmtp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_lmtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_lmtp_client_packets'($*)) dnl - - gen_require(` - type lmtp_client_packet_t; - ') - - allow $1 lmtp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_lmtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send lmtp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_lmtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lmtp_client_packets'($*)) dnl - - gen_require(` - type lmtp_client_packet_t; - ') - - dontaudit $1 lmtp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lmtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive lmtp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_lmtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_lmtp_client_packets'($*)) dnl - - gen_require(` - type lmtp_client_packet_t; - ') - - allow $1 lmtp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_lmtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive lmtp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_lmtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lmtp_client_packets'($*)) dnl - - gen_require(` - type lmtp_client_packet_t; - ') - - dontaudit $1 lmtp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lmtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive lmtp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_lmtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lmtp_client_packets'($*)) dnl - - corenet_send_lmtp_client_packets($1) - corenet_receive_lmtp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lmtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive lmtp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_lmtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lmtp_client_packets'($*)) dnl - - corenet_dontaudit_send_lmtp_client_packets($1) - corenet_dontaudit_receive_lmtp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lmtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to lmtp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_lmtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lmtp_client_packets'($*)) dnl - - gen_require(` - type lmtp_client_packet_t; - ') - - allow $1 lmtp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_lmtp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send lmtp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_lmtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_lmtp_server_packets'($*)) dnl - - gen_require(` - type lmtp_server_packet_t; - ') - - allow $1 lmtp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_lmtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send lmtp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_lmtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lmtp_server_packets'($*)) dnl - - gen_require(` - type lmtp_server_packet_t; - ') - - dontaudit $1 lmtp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lmtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive lmtp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_lmtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_lmtp_server_packets'($*)) dnl - - gen_require(` - type lmtp_server_packet_t; - ') - - allow $1 lmtp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_lmtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive lmtp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_lmtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lmtp_server_packets'($*)) dnl - - gen_require(` - type lmtp_server_packet_t; - ') - - dontaudit $1 lmtp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lmtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive lmtp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_lmtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lmtp_server_packets'($*)) dnl - - corenet_send_lmtp_server_packets($1) - corenet_receive_lmtp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lmtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive lmtp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_lmtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lmtp_server_packets'($*)) dnl - - corenet_dontaudit_send_lmtp_server_packets($1) - corenet_dontaudit_receive_lmtp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lmtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to lmtp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_lmtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lmtp_server_packets'($*)) dnl - - gen_require(` - type lmtp_server_packet_t; - ') - - allow $1 lmtp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_lmtp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the lrrd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lrrd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the lrrd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lrrd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the lrrd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lrrd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the lrrd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lrrd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the lrrd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lrrd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the lrrd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lrrd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the lrrd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lrrd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the lrrd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lrrd_port'($*)) dnl - - gen_require(` - type lrrd_port_t; - ') - - allow $1 lrrd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the lrrd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lrrd_port'($*)) dnl - - gen_require(` - type lrrd_port_t; - ') - - allow $1 lrrd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lrrd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the lrrd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_lrrd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lrrd_port'($*)) dnl - - gen_require(` - type lrrd_port_t; - ') - - allow $1 lrrd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lrrd_port'($*)) dnl - ') - - - -######################################## -## -## Send lrrd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_lrrd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_lrrd_client_packets'($*)) dnl - - gen_require(` - type lrrd_client_packet_t; - ') - - allow $1 lrrd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_lrrd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send lrrd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_lrrd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lrrd_client_packets'($*)) dnl - - gen_require(` - type lrrd_client_packet_t; - ') - - dontaudit $1 lrrd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lrrd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive lrrd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_lrrd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_lrrd_client_packets'($*)) dnl - - gen_require(` - type lrrd_client_packet_t; - ') - - allow $1 lrrd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_lrrd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive lrrd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_lrrd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lrrd_client_packets'($*)) dnl - - gen_require(` - type lrrd_client_packet_t; - ') - - dontaudit $1 lrrd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lrrd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive lrrd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_lrrd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lrrd_client_packets'($*)) dnl - - corenet_send_lrrd_client_packets($1) - corenet_receive_lrrd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lrrd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive lrrd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_lrrd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lrrd_client_packets'($*)) dnl - - corenet_dontaudit_send_lrrd_client_packets($1) - corenet_dontaudit_receive_lrrd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lrrd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to lrrd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_lrrd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lrrd_client_packets'($*)) dnl - - gen_require(` - type lrrd_client_packet_t; - ') - - allow $1 lrrd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_lrrd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send lrrd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_lrrd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_lrrd_server_packets'($*)) dnl - - gen_require(` - type lrrd_server_packet_t; - ') - - allow $1 lrrd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_lrrd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send lrrd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_lrrd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lrrd_server_packets'($*)) dnl - - gen_require(` - type lrrd_server_packet_t; - ') - - dontaudit $1 lrrd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lrrd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive lrrd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_lrrd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_lrrd_server_packets'($*)) dnl - - gen_require(` - type lrrd_server_packet_t; - ') - - allow $1 lrrd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_lrrd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive lrrd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_lrrd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lrrd_server_packets'($*)) dnl - - gen_require(` - type lrrd_server_packet_t; - ') - - dontaudit $1 lrrd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lrrd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive lrrd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_lrrd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lrrd_server_packets'($*)) dnl - - corenet_send_lrrd_server_packets($1) - corenet_receive_lrrd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lrrd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive lrrd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_lrrd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lrrd_server_packets'($*)) dnl - - corenet_dontaudit_send_lrrd_server_packets($1) - corenet_dontaudit_receive_lrrd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lrrd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to lrrd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_lrrd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lrrd_server_packets'($*)) dnl - - gen_require(` - type lrrd_server_packet_t; - ') - - allow $1 lrrd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_lrrd_server_packets'($*)) dnl - ') - - - # no defined portcon - - -######################################## -## -## Send and receive TCP traffic on the mail port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mail_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mail_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mail port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mail_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mail_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mail port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mail_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mail_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mail port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mail_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mail_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mail port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mail_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mail_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mail port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mail_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mail_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mail port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mail_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mail_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mail port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mail_port'($*)) dnl - - gen_require(` - type mail_port_t; - ') - - allow $1 mail_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mail_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mail port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mail_port'($*)) dnl - - gen_require(` - type mail_port_t; - ') - - allow $1 mail_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mail_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mail port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mail_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mail_port'($*)) dnl - - gen_require(` - type mail_port_t; - ') - - allow $1 mail_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mail_port'($*)) dnl - ') - - - -######################################## -## -## Send mail_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mail_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mail_client_packets'($*)) dnl - - gen_require(` - type mail_client_packet_t; - ') - - allow $1 mail_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mail_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mail_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mail_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mail_client_packets'($*)) dnl - - gen_require(` - type mail_client_packet_t; - ') - - dontaudit $1 mail_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mail_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mail_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mail_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mail_client_packets'($*)) dnl - - gen_require(` - type mail_client_packet_t; - ') - - allow $1 mail_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mail_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mail_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mail_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mail_client_packets'($*)) dnl - - gen_require(` - type mail_client_packet_t; - ') - - dontaudit $1 mail_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mail_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mail_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mail_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mail_client_packets'($*)) dnl - - corenet_send_mail_client_packets($1) - corenet_receive_mail_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mail_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mail_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mail_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mail_client_packets'($*)) dnl - - corenet_dontaudit_send_mail_client_packets($1) - corenet_dontaudit_receive_mail_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mail_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mail_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mail_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mail_client_packets'($*)) dnl - - gen_require(` - type mail_client_packet_t; - ') - - allow $1 mail_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mail_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mail_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mail_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mail_server_packets'($*)) dnl - - gen_require(` - type mail_server_packet_t; - ') - - allow $1 mail_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mail_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mail_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mail_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mail_server_packets'($*)) dnl - - gen_require(` - type mail_server_packet_t; - ') - - dontaudit $1 mail_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mail_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mail_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mail_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mail_server_packets'($*)) dnl - - gen_require(` - type mail_server_packet_t; - ') - - allow $1 mail_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mail_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mail_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mail_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mail_server_packets'($*)) dnl - - gen_require(` - type mail_server_packet_t; - ') - - dontaudit $1 mail_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mail_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mail_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mail_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mail_server_packets'($*)) dnl - - corenet_send_mail_server_packets($1) - corenet_receive_mail_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mail_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mail_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mail_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mail_server_packets'($*)) dnl - - corenet_dontaudit_send_mail_server_packets($1) - corenet_dontaudit_receive_mail_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mail_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mail_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mail_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mail_server_packets'($*)) dnl - - gen_require(` - type mail_server_packet_t; - ') - - allow $1 mail_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mail_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the matahari port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_matahari_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_matahari_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the matahari port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_matahari_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_matahari_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the matahari port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_matahari_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_matahari_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the matahari port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_matahari_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_matahari_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the matahari port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_matahari_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_matahari_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the matahari port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_matahari_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_matahari_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the matahari port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_matahari_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_matahari_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the matahari port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_matahari_port'($*)) dnl - - gen_require(` - type matahari_port_t; - ') - - allow $1 matahari_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_matahari_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the matahari port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_matahari_port'($*)) dnl - - gen_require(` - type matahari_port_t; - ') - - allow $1 matahari_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_matahari_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the matahari port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_matahari_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_matahari_port'($*)) dnl - - gen_require(` - type matahari_port_t; - ') - - allow $1 matahari_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_matahari_port'($*)) dnl - ') - - - -######################################## -## -## Send matahari_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_matahari_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_matahari_client_packets'($*)) dnl - - gen_require(` - type matahari_client_packet_t; - ') - - allow $1 matahari_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_matahari_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send matahari_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_matahari_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_matahari_client_packets'($*)) dnl - - gen_require(` - type matahari_client_packet_t; - ') - - dontaudit $1 matahari_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_matahari_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive matahari_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_matahari_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_matahari_client_packets'($*)) dnl - - gen_require(` - type matahari_client_packet_t; - ') - - allow $1 matahari_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_matahari_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive matahari_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_matahari_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_matahari_client_packets'($*)) dnl - - gen_require(` - type matahari_client_packet_t; - ') - - dontaudit $1 matahari_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_matahari_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive matahari_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_matahari_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_matahari_client_packets'($*)) dnl - - corenet_send_matahari_client_packets($1) - corenet_receive_matahari_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_matahari_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive matahari_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_matahari_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_matahari_client_packets'($*)) dnl - - corenet_dontaudit_send_matahari_client_packets($1) - corenet_dontaudit_receive_matahari_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_matahari_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to matahari_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_matahari_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_matahari_client_packets'($*)) dnl - - gen_require(` - type matahari_client_packet_t; - ') - - allow $1 matahari_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_matahari_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send matahari_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_matahari_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_matahari_server_packets'($*)) dnl - - gen_require(` - type matahari_server_packet_t; - ') - - allow $1 matahari_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_matahari_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send matahari_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_matahari_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_matahari_server_packets'($*)) dnl - - gen_require(` - type matahari_server_packet_t; - ') - - dontaudit $1 matahari_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_matahari_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive matahari_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_matahari_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_matahari_server_packets'($*)) dnl - - gen_require(` - type matahari_server_packet_t; - ') - - allow $1 matahari_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_matahari_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive matahari_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_matahari_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_matahari_server_packets'($*)) dnl - - gen_require(` - type matahari_server_packet_t; - ') - - dontaudit $1 matahari_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_matahari_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive matahari_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_matahari_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_matahari_server_packets'($*)) dnl - - corenet_send_matahari_server_packets($1) - corenet_receive_matahari_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_matahari_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive matahari_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_matahari_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_matahari_server_packets'($*)) dnl - - corenet_dontaudit_send_matahari_server_packets($1) - corenet_dontaudit_receive_matahari_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_matahari_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to matahari_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_matahari_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_matahari_server_packets'($*)) dnl - - gen_require(` - type matahari_server_packet_t; - ') - - allow $1 matahari_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_matahari_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the memcache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_memcache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_memcache_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the memcache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_memcache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_memcache_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the memcache port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_memcache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_memcache_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the memcache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_memcache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_memcache_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the memcache port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_memcache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_memcache_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the memcache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_memcache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_memcache_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the memcache port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_memcache_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_memcache_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the memcache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_memcache_port'($*)) dnl - - gen_require(` - type memcache_port_t; - ') - - allow $1 memcache_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_memcache_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the memcache port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_memcache_port'($*)) dnl - - gen_require(` - type memcache_port_t; - ') - - allow $1 memcache_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_memcache_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the memcache port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_memcache_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_memcache_port'($*)) dnl - - gen_require(` - type memcache_port_t; - ') - - allow $1 memcache_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_memcache_port'($*)) dnl - ') - - - -######################################## -## -## Send memcache_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_memcache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_memcache_client_packets'($*)) dnl - - gen_require(` - type memcache_client_packet_t; - ') - - allow $1 memcache_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_memcache_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send memcache_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_memcache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_memcache_client_packets'($*)) dnl - - gen_require(` - type memcache_client_packet_t; - ') - - dontaudit $1 memcache_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_memcache_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive memcache_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_memcache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_memcache_client_packets'($*)) dnl - - gen_require(` - type memcache_client_packet_t; - ') - - allow $1 memcache_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_memcache_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive memcache_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_memcache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_memcache_client_packets'($*)) dnl - - gen_require(` - type memcache_client_packet_t; - ') - - dontaudit $1 memcache_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_memcache_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive memcache_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_memcache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_memcache_client_packets'($*)) dnl - - corenet_send_memcache_client_packets($1) - corenet_receive_memcache_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_memcache_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive memcache_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_memcache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_memcache_client_packets'($*)) dnl - - corenet_dontaudit_send_memcache_client_packets($1) - corenet_dontaudit_receive_memcache_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_memcache_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to memcache_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_memcache_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_memcache_client_packets'($*)) dnl - - gen_require(` - type memcache_client_packet_t; - ') - - allow $1 memcache_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_memcache_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send memcache_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_memcache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_memcache_server_packets'($*)) dnl - - gen_require(` - type memcache_server_packet_t; - ') - - allow $1 memcache_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_memcache_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send memcache_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_memcache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_memcache_server_packets'($*)) dnl - - gen_require(` - type memcache_server_packet_t; - ') - - dontaudit $1 memcache_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_memcache_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive memcache_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_memcache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_memcache_server_packets'($*)) dnl - - gen_require(` - type memcache_server_packet_t; - ') - - allow $1 memcache_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_memcache_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive memcache_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_memcache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_memcache_server_packets'($*)) dnl - - gen_require(` - type memcache_server_packet_t; - ') - - dontaudit $1 memcache_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_memcache_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive memcache_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_memcache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_memcache_server_packets'($*)) dnl - - corenet_send_memcache_server_packets($1) - corenet_receive_memcache_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_memcache_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive memcache_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_memcache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_memcache_server_packets'($*)) dnl - - corenet_dontaudit_send_memcache_server_packets($1) - corenet_dontaudit_receive_memcache_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_memcache_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to memcache_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_memcache_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_memcache_server_packets'($*)) dnl - - gen_require(` - type memcache_server_packet_t; - ') - - allow $1 memcache_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_memcache_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the milter port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_milter_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_milter_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the milter port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_milter_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_milter_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the milter port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_milter_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_milter_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the milter port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_milter_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_milter_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the milter port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_milter_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_milter_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the milter port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_milter_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_milter_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the milter port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_milter_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_milter_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the milter port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_milter_port'($*)) dnl - - gen_require(` - type milter_port_t; - ') - - allow $1 milter_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_milter_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the milter port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_milter_port'($*)) dnl - - gen_require(` - type milter_port_t; - ') - - allow $1 milter_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_milter_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the milter port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_milter_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_milter_port'($*)) dnl - - gen_require(` - type milter_port_t; - ') - - allow $1 milter_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_milter_port'($*)) dnl - ') - - - -######################################## -## -## Send milter_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_milter_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_milter_client_packets'($*)) dnl - - gen_require(` - type milter_client_packet_t; - ') - - allow $1 milter_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_milter_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send milter_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_milter_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_milter_client_packets'($*)) dnl - - gen_require(` - type milter_client_packet_t; - ') - - dontaudit $1 milter_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_milter_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive milter_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_milter_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_milter_client_packets'($*)) dnl - - gen_require(` - type milter_client_packet_t; - ') - - allow $1 milter_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_milter_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive milter_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_milter_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_milter_client_packets'($*)) dnl - - gen_require(` - type milter_client_packet_t; - ') - - dontaudit $1 milter_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_milter_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive milter_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_milter_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_milter_client_packets'($*)) dnl - - corenet_send_milter_client_packets($1) - corenet_receive_milter_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_milter_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive milter_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_milter_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_milter_client_packets'($*)) dnl - - corenet_dontaudit_send_milter_client_packets($1) - corenet_dontaudit_receive_milter_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_milter_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to milter_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_milter_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_milter_client_packets'($*)) dnl - - gen_require(` - type milter_client_packet_t; - ') - - allow $1 milter_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_milter_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send milter_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_milter_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_milter_server_packets'($*)) dnl - - gen_require(` - type milter_server_packet_t; - ') - - allow $1 milter_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_milter_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send milter_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_milter_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_milter_server_packets'($*)) dnl - - gen_require(` - type milter_server_packet_t; - ') - - dontaudit $1 milter_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_milter_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive milter_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_milter_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_milter_server_packets'($*)) dnl - - gen_require(` - type milter_server_packet_t; - ') - - allow $1 milter_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_milter_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive milter_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_milter_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_milter_server_packets'($*)) dnl - - gen_require(` - type milter_server_packet_t; - ') - - dontaudit $1 milter_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_milter_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive milter_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_milter_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_milter_server_packets'($*)) dnl - - corenet_send_milter_server_packets($1) - corenet_receive_milter_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_milter_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive milter_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_milter_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_milter_server_packets'($*)) dnl - - corenet_dontaudit_send_milter_server_packets($1) - corenet_dontaudit_receive_milter_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_milter_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to milter_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_milter_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_milter_server_packets'($*)) dnl - - gen_require(` - type milter_server_packet_t; - ') - - allow $1 milter_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_milter_server_packets'($*)) dnl - ') - - - # no defined portcon - - -######################################## -## -## Send and receive TCP traffic on the mmcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mmcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mmcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mmcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mmcc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mmcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mmcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mmcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mmcc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mmcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mmcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mmcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mmcc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mmcc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mmcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mmcc_port'($*)) dnl - - gen_require(` - type mmcc_port_t; - ') - - allow $1 mmcc_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mmcc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mmcc_port'($*)) dnl - - gen_require(` - type mmcc_port_t; - ') - - allow $1 mmcc_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mmcc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mmcc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mmcc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mmcc_port'($*)) dnl - - gen_require(` - type mmcc_port_t; - ') - - allow $1 mmcc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mmcc_port'($*)) dnl - ') - - - -######################################## -## -## Send mmcc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mmcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mmcc_client_packets'($*)) dnl - - gen_require(` - type mmcc_client_packet_t; - ') - - allow $1 mmcc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mmcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mmcc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mmcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mmcc_client_packets'($*)) dnl - - gen_require(` - type mmcc_client_packet_t; - ') - - dontaudit $1 mmcc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mmcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mmcc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mmcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mmcc_client_packets'($*)) dnl - - gen_require(` - type mmcc_client_packet_t; - ') - - allow $1 mmcc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mmcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mmcc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mmcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mmcc_client_packets'($*)) dnl - - gen_require(` - type mmcc_client_packet_t; - ') - - dontaudit $1 mmcc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mmcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mmcc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mmcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mmcc_client_packets'($*)) dnl - - corenet_send_mmcc_client_packets($1) - corenet_receive_mmcc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mmcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mmcc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mmcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mmcc_client_packets'($*)) dnl - - corenet_dontaudit_send_mmcc_client_packets($1) - corenet_dontaudit_receive_mmcc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mmcc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mmcc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mmcc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mmcc_client_packets'($*)) dnl - - gen_require(` - type mmcc_client_packet_t; - ') - - allow $1 mmcc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mmcc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mmcc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mmcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mmcc_server_packets'($*)) dnl - - gen_require(` - type mmcc_server_packet_t; - ') - - allow $1 mmcc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mmcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mmcc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mmcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mmcc_server_packets'($*)) dnl - - gen_require(` - type mmcc_server_packet_t; - ') - - dontaudit $1 mmcc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mmcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mmcc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mmcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mmcc_server_packets'($*)) dnl - - gen_require(` - type mmcc_server_packet_t; - ') - - allow $1 mmcc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mmcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mmcc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mmcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mmcc_server_packets'($*)) dnl - - gen_require(` - type mmcc_server_packet_t; - ') - - dontaudit $1 mmcc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mmcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mmcc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mmcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mmcc_server_packets'($*)) dnl - - corenet_send_mmcc_server_packets($1) - corenet_receive_mmcc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mmcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mmcc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mmcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mmcc_server_packets'($*)) dnl - - corenet_dontaudit_send_mmcc_server_packets($1) - corenet_dontaudit_receive_mmcc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mmcc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mmcc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mmcc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mmcc_server_packets'($*)) dnl - - gen_require(` - type mmcc_server_packet_t; - ') - - allow $1 mmcc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mmcc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the mon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mon_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mon_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mon_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mon_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mon port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mon_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mon_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mon_port'($*)) dnl - - gen_require(` - type mon_port_t; - ') - - allow $1 mon_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mon_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mon port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mon_port'($*)) dnl - - gen_require(` - type mon_port_t; - ') - - allow $1 mon_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mon_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mon port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mon_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mon_port'($*)) dnl - - gen_require(` - type mon_port_t; - ') - - allow $1 mon_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mon_port'($*)) dnl - ') - - - -######################################## -## -## Send mon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mon_client_packets'($*)) dnl - - gen_require(` - type mon_client_packet_t; - ') - - allow $1 mon_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mon_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mon_client_packets'($*)) dnl - - gen_require(` - type mon_client_packet_t; - ') - - dontaudit $1 mon_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mon_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mon_client_packets'($*)) dnl - - gen_require(` - type mon_client_packet_t; - ') - - allow $1 mon_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mon_client_packets'($*)) dnl - - gen_require(` - type mon_client_packet_t; - ') - - dontaudit $1 mon_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mon_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mon_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mon_client_packets'($*)) dnl - - corenet_send_mon_client_packets($1) - corenet_receive_mon_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mon_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mon_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mon_client_packets'($*)) dnl - - corenet_dontaudit_send_mon_client_packets($1) - corenet_dontaudit_receive_mon_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mon_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mon_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mon_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mon_client_packets'($*)) dnl - - gen_require(` - type mon_client_packet_t; - ') - - allow $1 mon_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mon_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mon_server_packets'($*)) dnl - - gen_require(` - type mon_server_packet_t; - ') - - allow $1 mon_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mon_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mon_server_packets'($*)) dnl - - gen_require(` - type mon_server_packet_t; - ') - - dontaudit $1 mon_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mon_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mon_server_packets'($*)) dnl - - gen_require(` - type mon_server_packet_t; - ') - - allow $1 mon_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mon_server_packets'($*)) dnl - - gen_require(` - type mon_server_packet_t; - ') - - dontaudit $1 mon_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mon_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mon_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mon_server_packets'($*)) dnl - - corenet_send_mon_server_packets($1) - corenet_receive_mon_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mon_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mon_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mon_server_packets'($*)) dnl - - corenet_dontaudit_send_mon_server_packets($1) - corenet_dontaudit_receive_mon_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mon_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mon_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mon_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mon_server_packets'($*)) dnl - - gen_require(` - type mon_server_packet_t; - ') - - allow $1 mon_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mon_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the monit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_monit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_monit_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the monit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_monit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_monit_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the monit port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_monit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_monit_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the monit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_monit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_monit_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the monit port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_monit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_monit_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the monit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_monit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_monit_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the monit port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_monit_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_monit_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the monit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_monit_port'($*)) dnl - - gen_require(` - type monit_port_t; - ') - - allow $1 monit_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_monit_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the monit port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_monit_port'($*)) dnl - - gen_require(` - type monit_port_t; - ') - - allow $1 monit_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_monit_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the monit port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_monit_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_monit_port'($*)) dnl - - gen_require(` - type monit_port_t; - ') - - allow $1 monit_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_monit_port'($*)) dnl - ') - - - -######################################## -## -## Send monit_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_monit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_monit_client_packets'($*)) dnl - - gen_require(` - type monit_client_packet_t; - ') - - allow $1 monit_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_monit_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send monit_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_monit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monit_client_packets'($*)) dnl - - gen_require(` - type monit_client_packet_t; - ') - - dontaudit $1 monit_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monit_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive monit_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_monit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_monit_client_packets'($*)) dnl - - gen_require(` - type monit_client_packet_t; - ') - - allow $1 monit_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_monit_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive monit_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_monit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monit_client_packets'($*)) dnl - - gen_require(` - type monit_client_packet_t; - ') - - dontaudit $1 monit_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monit_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive monit_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_monit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monit_client_packets'($*)) dnl - - corenet_send_monit_client_packets($1) - corenet_receive_monit_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monit_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive monit_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_monit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monit_client_packets'($*)) dnl - - corenet_dontaudit_send_monit_client_packets($1) - corenet_dontaudit_receive_monit_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monit_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to monit_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_monit_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monit_client_packets'($*)) dnl - - gen_require(` - type monit_client_packet_t; - ') - - allow $1 monit_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_monit_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send monit_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_monit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_monit_server_packets'($*)) dnl - - gen_require(` - type monit_server_packet_t; - ') - - allow $1 monit_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_monit_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send monit_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_monit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monit_server_packets'($*)) dnl - - gen_require(` - type monit_server_packet_t; - ') - - dontaudit $1 monit_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monit_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive monit_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_monit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_monit_server_packets'($*)) dnl - - gen_require(` - type monit_server_packet_t; - ') - - allow $1 monit_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_monit_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive monit_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_monit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monit_server_packets'($*)) dnl - - gen_require(` - type monit_server_packet_t; - ') - - dontaudit $1 monit_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monit_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive monit_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_monit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monit_server_packets'($*)) dnl - - corenet_send_monit_server_packets($1) - corenet_receive_monit_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monit_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive monit_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_monit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monit_server_packets'($*)) dnl - - corenet_dontaudit_send_monit_server_packets($1) - corenet_dontaudit_receive_monit_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monit_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to monit_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_monit_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monit_server_packets'($*)) dnl - - gen_require(` - type monit_server_packet_t; - ') - - allow $1 monit_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_monit_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the monopd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_monopd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_monopd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the monopd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_monopd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_monopd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the monopd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_monopd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_monopd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the monopd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_monopd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_monopd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the monopd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_monopd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_monopd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the monopd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_monopd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_monopd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the monopd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_monopd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_monopd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the monopd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_monopd_port'($*)) dnl - - gen_require(` - type monopd_port_t; - ') - - allow $1 monopd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_monopd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the monopd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_monopd_port'($*)) dnl - - gen_require(` - type monopd_port_t; - ') - - allow $1 monopd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_monopd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the monopd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_monopd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_monopd_port'($*)) dnl - - gen_require(` - type monopd_port_t; - ') - - allow $1 monopd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_monopd_port'($*)) dnl - ') - - - -######################################## -## -## Send monopd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_monopd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_monopd_client_packets'($*)) dnl - - gen_require(` - type monopd_client_packet_t; - ') - - allow $1 monopd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_monopd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send monopd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_monopd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monopd_client_packets'($*)) dnl - - gen_require(` - type monopd_client_packet_t; - ') - - dontaudit $1 monopd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monopd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive monopd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_monopd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_monopd_client_packets'($*)) dnl - - gen_require(` - type monopd_client_packet_t; - ') - - allow $1 monopd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_monopd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive monopd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_monopd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monopd_client_packets'($*)) dnl - - gen_require(` - type monopd_client_packet_t; - ') - - dontaudit $1 monopd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monopd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive monopd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_monopd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monopd_client_packets'($*)) dnl - - corenet_send_monopd_client_packets($1) - corenet_receive_monopd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monopd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive monopd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_monopd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monopd_client_packets'($*)) dnl - - corenet_dontaudit_send_monopd_client_packets($1) - corenet_dontaudit_receive_monopd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monopd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to monopd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_monopd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monopd_client_packets'($*)) dnl - - gen_require(` - type monopd_client_packet_t; - ') - - allow $1 monopd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_monopd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send monopd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_monopd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_monopd_server_packets'($*)) dnl - - gen_require(` - type monopd_server_packet_t; - ') - - allow $1 monopd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_monopd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send monopd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_monopd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monopd_server_packets'($*)) dnl - - gen_require(` - type monopd_server_packet_t; - ') - - dontaudit $1 monopd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monopd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive monopd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_monopd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_monopd_server_packets'($*)) dnl - - gen_require(` - type monopd_server_packet_t; - ') - - allow $1 monopd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_monopd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive monopd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_monopd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monopd_server_packets'($*)) dnl - - gen_require(` - type monopd_server_packet_t; - ') - - dontaudit $1 monopd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monopd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive monopd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_monopd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monopd_server_packets'($*)) dnl - - corenet_send_monopd_server_packets($1) - corenet_receive_monopd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monopd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive monopd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_monopd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monopd_server_packets'($*)) dnl - - corenet_dontaudit_send_monopd_server_packets($1) - corenet_dontaudit_receive_monopd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monopd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to monopd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_monopd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monopd_server_packets'($*)) dnl - - gen_require(` - type monopd_server_packet_t; - ') - - allow $1 monopd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_monopd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the mountd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mountd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mountd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mountd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mountd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mountd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mountd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mountd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mountd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mountd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mountd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mountd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mountd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mountd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mountd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mountd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mountd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mountd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mountd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mountd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mountd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mountd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mountd_port'($*)) dnl - - gen_require(` - type mountd_port_t; - ') - - allow $1 mountd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mountd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mountd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mountd_port'($*)) dnl - - gen_require(` - type mountd_port_t; - ') - - allow $1 mountd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mountd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mountd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mountd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mountd_port'($*)) dnl - - gen_require(` - type mountd_port_t; - ') - - allow $1 mountd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mountd_port'($*)) dnl - ') - - - -######################################## -## -## Send mountd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mountd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mountd_client_packets'($*)) dnl - - gen_require(` - type mountd_client_packet_t; - ') - - allow $1 mountd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mountd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mountd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mountd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mountd_client_packets'($*)) dnl - - gen_require(` - type mountd_client_packet_t; - ') - - dontaudit $1 mountd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mountd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mountd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mountd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mountd_client_packets'($*)) dnl - - gen_require(` - type mountd_client_packet_t; - ') - - allow $1 mountd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mountd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mountd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mountd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mountd_client_packets'($*)) dnl - - gen_require(` - type mountd_client_packet_t; - ') - - dontaudit $1 mountd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mountd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mountd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mountd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mountd_client_packets'($*)) dnl - - corenet_send_mountd_client_packets($1) - corenet_receive_mountd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mountd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mountd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mountd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mountd_client_packets'($*)) dnl - - corenet_dontaudit_send_mountd_client_packets($1) - corenet_dontaudit_receive_mountd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mountd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mountd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mountd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mountd_client_packets'($*)) dnl - - gen_require(` - type mountd_client_packet_t; - ') - - allow $1 mountd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mountd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mountd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mountd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mountd_server_packets'($*)) dnl - - gen_require(` - type mountd_server_packet_t; - ') - - allow $1 mountd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mountd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mountd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mountd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mountd_server_packets'($*)) dnl - - gen_require(` - type mountd_server_packet_t; - ') - - dontaudit $1 mountd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mountd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mountd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mountd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mountd_server_packets'($*)) dnl - - gen_require(` - type mountd_server_packet_t; - ') - - allow $1 mountd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mountd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mountd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mountd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mountd_server_packets'($*)) dnl - - gen_require(` - type mountd_server_packet_t; - ') - - dontaudit $1 mountd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mountd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mountd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mountd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mountd_server_packets'($*)) dnl - - corenet_send_mountd_server_packets($1) - corenet_receive_mountd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mountd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mountd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mountd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mountd_server_packets'($*)) dnl - - corenet_dontaudit_send_mountd_server_packets($1) - corenet_dontaudit_receive_mountd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mountd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mountd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mountd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mountd_server_packets'($*)) dnl - - gen_require(` - type mountd_server_packet_t; - ') - - allow $1 mountd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mountd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the movaz_ssc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_movaz_ssc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the movaz_ssc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_movaz_ssc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the movaz_ssc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_movaz_ssc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the movaz_ssc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_movaz_ssc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the movaz_ssc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_movaz_ssc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the movaz_ssc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_movaz_ssc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the movaz_ssc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_movaz_ssc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the movaz_ssc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_movaz_ssc_port'($*)) dnl - - gen_require(` - type movaz_ssc_port_t; - ') - - allow $1 movaz_ssc_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the movaz_ssc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_movaz_ssc_port'($*)) dnl - - gen_require(` - type movaz_ssc_port_t; - ') - - allow $1 movaz_ssc_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_movaz_ssc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the movaz_ssc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_movaz_ssc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_movaz_ssc_port'($*)) dnl - - gen_require(` - type movaz_ssc_port_t; - ') - - allow $1 movaz_ssc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_movaz_ssc_port'($*)) dnl - ') - - - -######################################## -## -## Send movaz_ssc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_movaz_ssc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_movaz_ssc_client_packets'($*)) dnl - - gen_require(` - type movaz_ssc_client_packet_t; - ') - - allow $1 movaz_ssc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_movaz_ssc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send movaz_ssc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_movaz_ssc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_movaz_ssc_client_packets'($*)) dnl - - gen_require(` - type movaz_ssc_client_packet_t; - ') - - dontaudit $1 movaz_ssc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_movaz_ssc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive movaz_ssc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_movaz_ssc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_movaz_ssc_client_packets'($*)) dnl - - gen_require(` - type movaz_ssc_client_packet_t; - ') - - allow $1 movaz_ssc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_movaz_ssc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive movaz_ssc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_movaz_ssc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_movaz_ssc_client_packets'($*)) dnl - - gen_require(` - type movaz_ssc_client_packet_t; - ') - - dontaudit $1 movaz_ssc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_movaz_ssc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive movaz_ssc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_movaz_ssc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_movaz_ssc_client_packets'($*)) dnl - - corenet_send_movaz_ssc_client_packets($1) - corenet_receive_movaz_ssc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_movaz_ssc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive movaz_ssc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_movaz_ssc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_movaz_ssc_client_packets'($*)) dnl - - corenet_dontaudit_send_movaz_ssc_client_packets($1) - corenet_dontaudit_receive_movaz_ssc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_movaz_ssc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to movaz_ssc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_movaz_ssc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_movaz_ssc_client_packets'($*)) dnl - - gen_require(` - type movaz_ssc_client_packet_t; - ') - - allow $1 movaz_ssc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_movaz_ssc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send movaz_ssc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_movaz_ssc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_movaz_ssc_server_packets'($*)) dnl - - gen_require(` - type movaz_ssc_server_packet_t; - ') - - allow $1 movaz_ssc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_movaz_ssc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send movaz_ssc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_movaz_ssc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_movaz_ssc_server_packets'($*)) dnl - - gen_require(` - type movaz_ssc_server_packet_t; - ') - - dontaudit $1 movaz_ssc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_movaz_ssc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive movaz_ssc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_movaz_ssc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_movaz_ssc_server_packets'($*)) dnl - - gen_require(` - type movaz_ssc_server_packet_t; - ') - - allow $1 movaz_ssc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_movaz_ssc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive movaz_ssc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_movaz_ssc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_movaz_ssc_server_packets'($*)) dnl - - gen_require(` - type movaz_ssc_server_packet_t; - ') - - dontaudit $1 movaz_ssc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_movaz_ssc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive movaz_ssc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_movaz_ssc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_movaz_ssc_server_packets'($*)) dnl - - corenet_send_movaz_ssc_server_packets($1) - corenet_receive_movaz_ssc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_movaz_ssc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive movaz_ssc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_movaz_ssc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_movaz_ssc_server_packets'($*)) dnl - - corenet_dontaudit_send_movaz_ssc_server_packets($1) - corenet_dontaudit_receive_movaz_ssc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_movaz_ssc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to movaz_ssc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_movaz_ssc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_movaz_ssc_server_packets'($*)) dnl - - gen_require(` - type movaz_ssc_server_packet_t; - ') - - allow $1 movaz_ssc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_movaz_ssc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the mpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mpd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mpd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mpd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mpd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mpd_port'($*)) dnl - - gen_require(` - type mpd_port_t; - ') - - allow $1 mpd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mpd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mpd_port'($*)) dnl - - gen_require(` - type mpd_port_t; - ') - - allow $1 mpd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mpd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mpd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mpd_port'($*)) dnl - - gen_require(` - type mpd_port_t; - ') - - allow $1 mpd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mpd_port'($*)) dnl - ') - - - -######################################## -## -## Send mpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mpd_client_packets'($*)) dnl - - gen_require(` - type mpd_client_packet_t; - ') - - allow $1 mpd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mpd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mpd_client_packets'($*)) dnl - - gen_require(` - type mpd_client_packet_t; - ') - - dontaudit $1 mpd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mpd_client_packets'($*)) dnl - - gen_require(` - type mpd_client_packet_t; - ') - - allow $1 mpd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mpd_client_packets'($*)) dnl - - gen_require(` - type mpd_client_packet_t; - ') - - dontaudit $1 mpd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mpd_client_packets'($*)) dnl - - corenet_send_mpd_client_packets($1) - corenet_receive_mpd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mpd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mpd_client_packets'($*)) dnl - - corenet_dontaudit_send_mpd_client_packets($1) - corenet_dontaudit_receive_mpd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mpd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mpd_client_packets'($*)) dnl - - gen_require(` - type mpd_client_packet_t; - ') - - allow $1 mpd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mpd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mpd_server_packets'($*)) dnl - - gen_require(` - type mpd_server_packet_t; - ') - - allow $1 mpd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mpd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mpd_server_packets'($*)) dnl - - gen_require(` - type mpd_server_packet_t; - ') - - dontaudit $1 mpd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mpd_server_packets'($*)) dnl - - gen_require(` - type mpd_server_packet_t; - ') - - allow $1 mpd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mpd_server_packets'($*)) dnl - - gen_require(` - type mpd_server_packet_t; - ') - - dontaudit $1 mpd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mpd_server_packets'($*)) dnl - - corenet_send_mpd_server_packets($1) - corenet_receive_mpd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mpd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mpd_server_packets'($*)) dnl - - corenet_dontaudit_send_mpd_server_packets($1) - corenet_dontaudit_receive_mpd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mpd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mpd_server_packets'($*)) dnl - - gen_require(` - type mpd_server_packet_t; - ') - - allow $1 mpd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mpd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the msgsrvr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_msgsrvr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the msgsrvr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_msgsrvr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the msgsrvr port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_msgsrvr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the msgsrvr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_msgsrvr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the msgsrvr port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_msgsrvr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the msgsrvr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_msgsrvr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the msgsrvr port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_msgsrvr_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the msgsrvr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_msgsrvr_port'($*)) dnl - - gen_require(` - type msgsrvr_port_t; - ') - - allow $1 msgsrvr_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the msgsrvr port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_msgsrvr_port'($*)) dnl - - gen_require(` - type msgsrvr_port_t; - ') - - allow $1 msgsrvr_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_msgsrvr_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the msgsrvr port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_msgsrvr_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_msgsrvr_port'($*)) dnl - - gen_require(` - type msgsrvr_port_t; - ') - - allow $1 msgsrvr_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_msgsrvr_port'($*)) dnl - ') - - - -######################################## -## -## Send msgsrvr_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_msgsrvr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_msgsrvr_client_packets'($*)) dnl - - gen_require(` - type msgsrvr_client_packet_t; - ') - - allow $1 msgsrvr_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_msgsrvr_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send msgsrvr_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_msgsrvr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_msgsrvr_client_packets'($*)) dnl - - gen_require(` - type msgsrvr_client_packet_t; - ') - - dontaudit $1 msgsrvr_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_msgsrvr_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive msgsrvr_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_msgsrvr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_msgsrvr_client_packets'($*)) dnl - - gen_require(` - type msgsrvr_client_packet_t; - ') - - allow $1 msgsrvr_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_msgsrvr_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive msgsrvr_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_msgsrvr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_msgsrvr_client_packets'($*)) dnl - - gen_require(` - type msgsrvr_client_packet_t; - ') - - dontaudit $1 msgsrvr_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_msgsrvr_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive msgsrvr_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_msgsrvr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_msgsrvr_client_packets'($*)) dnl - - corenet_send_msgsrvr_client_packets($1) - corenet_receive_msgsrvr_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_msgsrvr_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive msgsrvr_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_msgsrvr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_msgsrvr_client_packets'($*)) dnl - - corenet_dontaudit_send_msgsrvr_client_packets($1) - corenet_dontaudit_receive_msgsrvr_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_msgsrvr_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to msgsrvr_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_msgsrvr_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_msgsrvr_client_packets'($*)) dnl - - gen_require(` - type msgsrvr_client_packet_t; - ') - - allow $1 msgsrvr_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_msgsrvr_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send msgsrvr_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_msgsrvr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_msgsrvr_server_packets'($*)) dnl - - gen_require(` - type msgsrvr_server_packet_t; - ') - - allow $1 msgsrvr_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_msgsrvr_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send msgsrvr_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_msgsrvr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_msgsrvr_server_packets'($*)) dnl - - gen_require(` - type msgsrvr_server_packet_t; - ') - - dontaudit $1 msgsrvr_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_msgsrvr_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive msgsrvr_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_msgsrvr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_msgsrvr_server_packets'($*)) dnl - - gen_require(` - type msgsrvr_server_packet_t; - ') - - allow $1 msgsrvr_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_msgsrvr_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive msgsrvr_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_msgsrvr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_msgsrvr_server_packets'($*)) dnl - - gen_require(` - type msgsrvr_server_packet_t; - ') - - dontaudit $1 msgsrvr_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_msgsrvr_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive msgsrvr_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_msgsrvr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_msgsrvr_server_packets'($*)) dnl - - corenet_send_msgsrvr_server_packets($1) - corenet_receive_msgsrvr_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_msgsrvr_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive msgsrvr_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_msgsrvr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_msgsrvr_server_packets'($*)) dnl - - corenet_dontaudit_send_msgsrvr_server_packets($1) - corenet_dontaudit_receive_msgsrvr_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_msgsrvr_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to msgsrvr_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_msgsrvr_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_msgsrvr_server_packets'($*)) dnl - - gen_require(` - type msgsrvr_server_packet_t; - ') - - allow $1 msgsrvr_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_msgsrvr_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the msnp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_msnp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_msnp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the msnp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_msnp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_msnp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the msnp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_msnp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_msnp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the msnp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_msnp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_msnp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the msnp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_msnp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_msnp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the msnp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_msnp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_msnp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the msnp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_msnp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_msnp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the msnp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_msnp_port'($*)) dnl - - gen_require(` - type msnp_port_t; - ') - - allow $1 msnp_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_msnp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the msnp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_msnp_port'($*)) dnl - - gen_require(` - type msnp_port_t; - ') - - allow $1 msnp_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_msnp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the msnp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_msnp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_msnp_port'($*)) dnl - - gen_require(` - type msnp_port_t; - ') - - allow $1 msnp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_msnp_port'($*)) dnl - ') - - - -######################################## -## -## Send msnp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_msnp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_msnp_client_packets'($*)) dnl - - gen_require(` - type msnp_client_packet_t; - ') - - allow $1 msnp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_msnp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send msnp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_msnp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_msnp_client_packets'($*)) dnl - - gen_require(` - type msnp_client_packet_t; - ') - - dontaudit $1 msnp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_msnp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive msnp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_msnp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_msnp_client_packets'($*)) dnl - - gen_require(` - type msnp_client_packet_t; - ') - - allow $1 msnp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_msnp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive msnp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_msnp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_msnp_client_packets'($*)) dnl - - gen_require(` - type msnp_client_packet_t; - ') - - dontaudit $1 msnp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_msnp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive msnp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_msnp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_msnp_client_packets'($*)) dnl - - corenet_send_msnp_client_packets($1) - corenet_receive_msnp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_msnp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive msnp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_msnp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_msnp_client_packets'($*)) dnl - - corenet_dontaudit_send_msnp_client_packets($1) - corenet_dontaudit_receive_msnp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_msnp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to msnp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_msnp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_msnp_client_packets'($*)) dnl - - gen_require(` - type msnp_client_packet_t; - ') - - allow $1 msnp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_msnp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send msnp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_msnp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_msnp_server_packets'($*)) dnl - - gen_require(` - type msnp_server_packet_t; - ') - - allow $1 msnp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_msnp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send msnp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_msnp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_msnp_server_packets'($*)) dnl - - gen_require(` - type msnp_server_packet_t; - ') - - dontaudit $1 msnp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_msnp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive msnp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_msnp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_msnp_server_packets'($*)) dnl - - gen_require(` - type msnp_server_packet_t; - ') - - allow $1 msnp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_msnp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive msnp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_msnp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_msnp_server_packets'($*)) dnl - - gen_require(` - type msnp_server_packet_t; - ') - - dontaudit $1 msnp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_msnp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive msnp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_msnp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_msnp_server_packets'($*)) dnl - - corenet_send_msnp_server_packets($1) - corenet_receive_msnp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_msnp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive msnp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_msnp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_msnp_server_packets'($*)) dnl - - corenet_dontaudit_send_msnp_server_packets($1) - corenet_dontaudit_receive_msnp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_msnp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to msnp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_msnp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_msnp_server_packets'($*)) dnl - - gen_require(` - type msnp_server_packet_t; - ') - - allow $1 msnp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_msnp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the mssql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mssql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mssql_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mssql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mssql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mssql_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mssql port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mssql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mssql_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mssql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mssql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mssql_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mssql port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mssql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mssql_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mssql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mssql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mssql_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mssql port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mssql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mssql_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mssql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mssql_port'($*)) dnl - - gen_require(` - type mssql_port_t; - ') - - allow $1 mssql_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mssql_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mssql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mssql_port'($*)) dnl - - gen_require(` - type mssql_port_t; - ') - - allow $1 mssql_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mssql_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mssql port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mssql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mssql_port'($*)) dnl - - gen_require(` - type mssql_port_t; - ') - - allow $1 mssql_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mssql_port'($*)) dnl - ') - - - -######################################## -## -## Send mssql_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mssql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mssql_client_packets'($*)) dnl - - gen_require(` - type mssql_client_packet_t; - ') - - allow $1 mssql_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mssql_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mssql_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mssql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mssql_client_packets'($*)) dnl - - gen_require(` - type mssql_client_packet_t; - ') - - dontaudit $1 mssql_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mssql_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mssql_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mssql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mssql_client_packets'($*)) dnl - - gen_require(` - type mssql_client_packet_t; - ') - - allow $1 mssql_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mssql_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mssql_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mssql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mssql_client_packets'($*)) dnl - - gen_require(` - type mssql_client_packet_t; - ') - - dontaudit $1 mssql_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mssql_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mssql_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mssql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mssql_client_packets'($*)) dnl - - corenet_send_mssql_client_packets($1) - corenet_receive_mssql_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mssql_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mssql_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mssql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mssql_client_packets'($*)) dnl - - corenet_dontaudit_send_mssql_client_packets($1) - corenet_dontaudit_receive_mssql_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mssql_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mssql_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mssql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mssql_client_packets'($*)) dnl - - gen_require(` - type mssql_client_packet_t; - ') - - allow $1 mssql_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mssql_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mssql_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mssql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mssql_server_packets'($*)) dnl - - gen_require(` - type mssql_server_packet_t; - ') - - allow $1 mssql_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mssql_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mssql_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mssql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mssql_server_packets'($*)) dnl - - gen_require(` - type mssql_server_packet_t; - ') - - dontaudit $1 mssql_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mssql_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mssql_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mssql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mssql_server_packets'($*)) dnl - - gen_require(` - type mssql_server_packet_t; - ') - - allow $1 mssql_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mssql_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mssql_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mssql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mssql_server_packets'($*)) dnl - - gen_require(` - type mssql_server_packet_t; - ') - - dontaudit $1 mssql_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mssql_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mssql_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mssql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mssql_server_packets'($*)) dnl - - corenet_send_mssql_server_packets($1) - corenet_receive_mssql_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mssql_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mssql_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mssql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mssql_server_packets'($*)) dnl - - corenet_dontaudit_send_mssql_server_packets($1) - corenet_dontaudit_receive_mssql_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mssql_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mssql_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mssql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mssql_server_packets'($*)) dnl - - gen_require(` - type mssql_server_packet_t; - ') - - allow $1 mssql_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mssql_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ms_streaming port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ms_streaming_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ms_streaming port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ms_streaming_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ms_streaming port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ms_streaming_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ms_streaming port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ms_streaming_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ms_streaming port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ms_streaming_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ms_streaming port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ms_streaming_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ms_streaming port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ms_streaming_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ms_streaming port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ms_streaming_port'($*)) dnl - - gen_require(` - type ms_streaming_port_t; - ') - - allow $1 ms_streaming_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ms_streaming port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ms_streaming_port'($*)) dnl - - gen_require(` - type ms_streaming_port_t; - ') - - allow $1 ms_streaming_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ms_streaming_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ms_streaming port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ms_streaming_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ms_streaming_port'($*)) dnl - - gen_require(` - type ms_streaming_port_t; - ') - - allow $1 ms_streaming_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ms_streaming_port'($*)) dnl - ') - - - -######################################## -## -## Send ms_streaming_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ms_streaming_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ms_streaming_client_packets'($*)) dnl - - gen_require(` - type ms_streaming_client_packet_t; - ') - - allow $1 ms_streaming_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ms_streaming_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ms_streaming_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ms_streaming_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ms_streaming_client_packets'($*)) dnl - - gen_require(` - type ms_streaming_client_packet_t; - ') - - dontaudit $1 ms_streaming_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ms_streaming_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ms_streaming_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ms_streaming_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ms_streaming_client_packets'($*)) dnl - - gen_require(` - type ms_streaming_client_packet_t; - ') - - allow $1 ms_streaming_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ms_streaming_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ms_streaming_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ms_streaming_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ms_streaming_client_packets'($*)) dnl - - gen_require(` - type ms_streaming_client_packet_t; - ') - - dontaudit $1 ms_streaming_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ms_streaming_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ms_streaming_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ms_streaming_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ms_streaming_client_packets'($*)) dnl - - corenet_send_ms_streaming_client_packets($1) - corenet_receive_ms_streaming_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ms_streaming_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ms_streaming_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ms_streaming_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ms_streaming_client_packets'($*)) dnl - - corenet_dontaudit_send_ms_streaming_client_packets($1) - corenet_dontaudit_receive_ms_streaming_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ms_streaming_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ms_streaming_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ms_streaming_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ms_streaming_client_packets'($*)) dnl - - gen_require(` - type ms_streaming_client_packet_t; - ') - - allow $1 ms_streaming_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ms_streaming_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ms_streaming_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ms_streaming_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ms_streaming_server_packets'($*)) dnl - - gen_require(` - type ms_streaming_server_packet_t; - ') - - allow $1 ms_streaming_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ms_streaming_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ms_streaming_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ms_streaming_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ms_streaming_server_packets'($*)) dnl - - gen_require(` - type ms_streaming_server_packet_t; - ') - - dontaudit $1 ms_streaming_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ms_streaming_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ms_streaming_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ms_streaming_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ms_streaming_server_packets'($*)) dnl - - gen_require(` - type ms_streaming_server_packet_t; - ') - - allow $1 ms_streaming_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ms_streaming_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ms_streaming_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ms_streaming_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ms_streaming_server_packets'($*)) dnl - - gen_require(` - type ms_streaming_server_packet_t; - ') - - dontaudit $1 ms_streaming_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ms_streaming_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ms_streaming_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ms_streaming_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ms_streaming_server_packets'($*)) dnl - - corenet_send_ms_streaming_server_packets($1) - corenet_receive_ms_streaming_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ms_streaming_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ms_streaming_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ms_streaming_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ms_streaming_server_packets'($*)) dnl - - corenet_dontaudit_send_ms_streaming_server_packets($1) - corenet_dontaudit_receive_ms_streaming_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ms_streaming_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ms_streaming_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ms_streaming_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ms_streaming_server_packets'($*)) dnl - - gen_require(` - type ms_streaming_server_packet_t; - ') - - allow $1 ms_streaming_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ms_streaming_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the munin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_munin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_munin_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the munin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_munin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_munin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the munin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_munin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_munin_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the munin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_munin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_munin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the munin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_munin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_munin_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the munin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_munin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_munin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the munin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_munin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_munin_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the munin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_munin_port'($*)) dnl - - gen_require(` - type munin_port_t; - ') - - allow $1 munin_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_munin_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the munin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_munin_port'($*)) dnl - - gen_require(` - type munin_port_t; - ') - - allow $1 munin_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_munin_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the munin port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_munin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_munin_port'($*)) dnl - - gen_require(` - type munin_port_t; - ') - - allow $1 munin_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_munin_port'($*)) dnl - ') - - - -######################################## -## -## Send munin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_munin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_munin_client_packets'($*)) dnl - - gen_require(` - type munin_client_packet_t; - ') - - allow $1 munin_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_munin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send munin_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_munin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_munin_client_packets'($*)) dnl - - gen_require(` - type munin_client_packet_t; - ') - - dontaudit $1 munin_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_munin_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive munin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_munin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_munin_client_packets'($*)) dnl - - gen_require(` - type munin_client_packet_t; - ') - - allow $1 munin_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_munin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive munin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_munin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_munin_client_packets'($*)) dnl - - gen_require(` - type munin_client_packet_t; - ') - - dontaudit $1 munin_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_munin_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive munin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_munin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_munin_client_packets'($*)) dnl - - corenet_send_munin_client_packets($1) - corenet_receive_munin_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_munin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive munin_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_munin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_munin_client_packets'($*)) dnl - - corenet_dontaudit_send_munin_client_packets($1) - corenet_dontaudit_receive_munin_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_munin_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to munin_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_munin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_munin_client_packets'($*)) dnl - - gen_require(` - type munin_client_packet_t; - ') - - allow $1 munin_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_munin_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send munin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_munin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_munin_server_packets'($*)) dnl - - gen_require(` - type munin_server_packet_t; - ') - - allow $1 munin_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_munin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send munin_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_munin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_munin_server_packets'($*)) dnl - - gen_require(` - type munin_server_packet_t; - ') - - dontaudit $1 munin_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_munin_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive munin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_munin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_munin_server_packets'($*)) dnl - - gen_require(` - type munin_server_packet_t; - ') - - allow $1 munin_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_munin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive munin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_munin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_munin_server_packets'($*)) dnl - - gen_require(` - type munin_server_packet_t; - ') - - dontaudit $1 munin_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_munin_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive munin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_munin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_munin_server_packets'($*)) dnl - - corenet_send_munin_server_packets($1) - corenet_receive_munin_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_munin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive munin_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_munin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_munin_server_packets'($*)) dnl - - corenet_dontaudit_send_munin_server_packets($1) - corenet_dontaudit_receive_munin_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_munin_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to munin_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_munin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_munin_server_packets'($*)) dnl - - gen_require(` - type munin_server_packet_t; - ') - - allow $1 munin_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_munin_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the mxi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mxi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mxi_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mxi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mxi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mxi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mxi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mxi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mxi_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mxi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mxi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mxi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mxi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mxi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mxi_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mxi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mxi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mxi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mxi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mxi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mxi_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mxi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mxi_port'($*)) dnl - - gen_require(` - type mxi_port_t; - ') - - allow $1 mxi_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mxi_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mxi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mxi_port'($*)) dnl - - gen_require(` - type mxi_port_t; - ') - - allow $1 mxi_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mxi_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mxi port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mxi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mxi_port'($*)) dnl - - gen_require(` - type mxi_port_t; - ') - - allow $1 mxi_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mxi_port'($*)) dnl - ') - - - -######################################## -## -## Send mxi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mxi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mxi_client_packets'($*)) dnl - - gen_require(` - type mxi_client_packet_t; - ') - - allow $1 mxi_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mxi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mxi_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mxi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mxi_client_packets'($*)) dnl - - gen_require(` - type mxi_client_packet_t; - ') - - dontaudit $1 mxi_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mxi_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mxi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mxi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mxi_client_packets'($*)) dnl - - gen_require(` - type mxi_client_packet_t; - ') - - allow $1 mxi_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mxi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mxi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mxi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mxi_client_packets'($*)) dnl - - gen_require(` - type mxi_client_packet_t; - ') - - dontaudit $1 mxi_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mxi_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mxi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mxi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mxi_client_packets'($*)) dnl - - corenet_send_mxi_client_packets($1) - corenet_receive_mxi_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mxi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mxi_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mxi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mxi_client_packets'($*)) dnl - - corenet_dontaudit_send_mxi_client_packets($1) - corenet_dontaudit_receive_mxi_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mxi_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mxi_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mxi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mxi_client_packets'($*)) dnl - - gen_require(` - type mxi_client_packet_t; - ') - - allow $1 mxi_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mxi_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mxi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mxi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mxi_server_packets'($*)) dnl - - gen_require(` - type mxi_server_packet_t; - ') - - allow $1 mxi_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mxi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mxi_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mxi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mxi_server_packets'($*)) dnl - - gen_require(` - type mxi_server_packet_t; - ') - - dontaudit $1 mxi_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mxi_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mxi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mxi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mxi_server_packets'($*)) dnl - - gen_require(` - type mxi_server_packet_t; - ') - - allow $1 mxi_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mxi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mxi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mxi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mxi_server_packets'($*)) dnl - - gen_require(` - type mxi_server_packet_t; - ') - - dontaudit $1 mxi_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mxi_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mxi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mxi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mxi_server_packets'($*)) dnl - - corenet_send_mxi_server_packets($1) - corenet_receive_mxi_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mxi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mxi_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mxi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mxi_server_packets'($*)) dnl - - corenet_dontaudit_send_mxi_server_packets($1) - corenet_dontaudit_receive_mxi_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mxi_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mxi_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mxi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mxi_server_packets'($*)) dnl - - gen_require(` - type mxi_server_packet_t; - ') - - allow $1 mxi_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mxi_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the mysqld port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mysqld_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mysqld port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mysqld_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mysqld port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mysqld_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mysqld port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mysqld_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mysqld port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mysqld_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mysqld port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mysqld_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mysqld port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mysqld_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mysqld port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mysqld_port'($*)) dnl - - gen_require(` - type mysqld_port_t; - ') - - allow $1 mysqld_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mysqld port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mysqld_port'($*)) dnl - - gen_require(` - type mysqld_port_t; - ') - - allow $1 mysqld_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mysqld_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mysqld port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mysqld_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mysqld_port'($*)) dnl - - gen_require(` - type mysqld_port_t; - ') - - allow $1 mysqld_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mysqld_port'($*)) dnl - ') - - - -######################################## -## -## Send mysqld_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mysqld_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mysqld_client_packets'($*)) dnl - - gen_require(` - type mysqld_client_packet_t; - ') - - allow $1 mysqld_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mysqld_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mysqld_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mysqld_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqld_client_packets'($*)) dnl - - gen_require(` - type mysqld_client_packet_t; - ') - - dontaudit $1 mysqld_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqld_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mysqld_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mysqld_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqld_client_packets'($*)) dnl - - gen_require(` - type mysqld_client_packet_t; - ') - - allow $1 mysqld_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mysqld_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mysqld_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mysqld_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqld_client_packets'($*)) dnl - - gen_require(` - type mysqld_client_packet_t; - ') - - dontaudit $1 mysqld_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqld_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mysqld_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mysqld_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqld_client_packets'($*)) dnl - - corenet_send_mysqld_client_packets($1) - corenet_receive_mysqld_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqld_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mysqld_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mysqld_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqld_client_packets'($*)) dnl - - corenet_dontaudit_send_mysqld_client_packets($1) - corenet_dontaudit_receive_mysqld_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqld_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mysqld_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mysqld_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqld_client_packets'($*)) dnl - - gen_require(` - type mysqld_client_packet_t; - ') - - allow $1 mysqld_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqld_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mysqld_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mysqld_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mysqld_server_packets'($*)) dnl - - gen_require(` - type mysqld_server_packet_t; - ') - - allow $1 mysqld_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mysqld_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mysqld_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mysqld_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqld_server_packets'($*)) dnl - - gen_require(` - type mysqld_server_packet_t; - ') - - dontaudit $1 mysqld_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqld_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mysqld_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mysqld_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqld_server_packets'($*)) dnl - - gen_require(` - type mysqld_server_packet_t; - ') - - allow $1 mysqld_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mysqld_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mysqld_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mysqld_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqld_server_packets'($*)) dnl - - gen_require(` - type mysqld_server_packet_t; - ') - - dontaudit $1 mysqld_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqld_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mysqld_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mysqld_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqld_server_packets'($*)) dnl - - corenet_send_mysqld_server_packets($1) - corenet_receive_mysqld_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqld_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mysqld_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mysqld_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqld_server_packets'($*)) dnl - - corenet_dontaudit_send_mysqld_server_packets($1) - corenet_dontaudit_receive_mysqld_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqld_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mysqld_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mysqld_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqld_server_packets'($*)) dnl - - gen_require(` - type mysqld_server_packet_t; - ') - - allow $1 mysqld_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqld_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the mysqlmanagerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mysqlmanagerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the mysqlmanagerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mysqlmanagerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the mysqlmanagerd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mysqlmanagerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the mysqlmanagerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mysqlmanagerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the mysqlmanagerd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mysqlmanagerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the mysqlmanagerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mysqlmanagerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the mysqlmanagerd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the mysqlmanagerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mysqlmanagerd_port'($*)) dnl - - gen_require(` - type mysqlmanagerd_port_t; - ') - - allow $1 mysqlmanagerd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the mysqlmanagerd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mysqlmanagerd_port'($*)) dnl - - gen_require(` - type mysqlmanagerd_port_t; - ') - - allow $1 mysqlmanagerd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mysqlmanagerd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the mysqlmanagerd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_mysqlmanagerd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mysqlmanagerd_port'($*)) dnl - - gen_require(` - type mysqlmanagerd_port_t; - ') - - allow $1 mysqlmanagerd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mysqlmanagerd_port'($*)) dnl - ') - - - -######################################## -## -## Send mysqlmanagerd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mysqlmanagerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mysqlmanagerd_client_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_client_packet_t; - ') - - allow $1 mysqlmanagerd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mysqlmanagerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mysqlmanagerd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mysqlmanagerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqlmanagerd_client_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_client_packet_t; - ') - - dontaudit $1 mysqlmanagerd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqlmanagerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive mysqlmanagerd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mysqlmanagerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqlmanagerd_client_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_client_packet_t; - ') - - allow $1 mysqlmanagerd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mysqlmanagerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mysqlmanagerd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mysqlmanagerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqlmanagerd_client_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_client_packet_t; - ') - - dontaudit $1 mysqlmanagerd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqlmanagerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mysqlmanagerd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mysqlmanagerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqlmanagerd_client_packets'($*)) dnl - - corenet_send_mysqlmanagerd_client_packets($1) - corenet_receive_mysqlmanagerd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqlmanagerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mysqlmanagerd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets'($*)) dnl - - corenet_dontaudit_send_mysqlmanagerd_client_packets($1) - corenet_dontaudit_receive_mysqlmanagerd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mysqlmanagerd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mysqlmanagerd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqlmanagerd_client_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_client_packet_t; - ') - - allow $1 mysqlmanagerd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqlmanagerd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send mysqlmanagerd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_mysqlmanagerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_mysqlmanagerd_server_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_server_packet_t; - ') - - allow $1 mysqlmanagerd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_mysqlmanagerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send mysqlmanagerd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_mysqlmanagerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqlmanagerd_server_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_server_packet_t; - ') - - dontaudit $1 mysqlmanagerd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqlmanagerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive mysqlmanagerd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_mysqlmanagerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqlmanagerd_server_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_server_packet_t; - ') - - allow $1 mysqlmanagerd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_mysqlmanagerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive mysqlmanagerd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_mysqlmanagerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqlmanagerd_server_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_server_packet_t; - ') - - dontaudit $1 mysqlmanagerd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqlmanagerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive mysqlmanagerd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_mysqlmanagerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqlmanagerd_server_packets'($*)) dnl - - corenet_send_mysqlmanagerd_server_packets($1) - corenet_receive_mysqlmanagerd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqlmanagerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive mysqlmanagerd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets'($*)) dnl - - corenet_dontaudit_send_mysqlmanagerd_server_packets($1) - corenet_dontaudit_receive_mysqlmanagerd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to mysqlmanagerd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_mysqlmanagerd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqlmanagerd_server_packets'($*)) dnl - - gen_require(` - type mysqlmanagerd_server_packet_t; - ') - - allow $1 mysqlmanagerd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqlmanagerd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the nessus port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nessus_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nessus_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the nessus port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nessus_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_nessus_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the nessus port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nessus_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nessus_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the nessus port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nessus_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nessus_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the nessus port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nessus_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nessus_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the nessus port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nessus_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nessus_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the nessus port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nessus_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nessus_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the nessus port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nessus_port'($*)) dnl - - gen_require(` - type nessus_port_t; - ') - - allow $1 nessus_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nessus_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the nessus port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nessus_port'($*)) dnl - - gen_require(` - type nessus_port_t; - ') - - allow $1 nessus_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nessus_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the nessus port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_nessus_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nessus_port'($*)) dnl - - gen_require(` - type nessus_port_t; - ') - - allow $1 nessus_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nessus_port'($*)) dnl - ') - - - -######################################## -## -## Send nessus_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_nessus_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_nessus_client_packets'($*)) dnl - - gen_require(` - type nessus_client_packet_t; - ') - - allow $1 nessus_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_nessus_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send nessus_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_nessus_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nessus_client_packets'($*)) dnl - - gen_require(` - type nessus_client_packet_t; - ') - - dontaudit $1 nessus_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nessus_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive nessus_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_nessus_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_nessus_client_packets'($*)) dnl - - gen_require(` - type nessus_client_packet_t; - ') - - allow $1 nessus_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_nessus_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive nessus_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_nessus_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nessus_client_packets'($*)) dnl - - gen_require(` - type nessus_client_packet_t; - ') - - dontaudit $1 nessus_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nessus_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive nessus_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_nessus_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nessus_client_packets'($*)) dnl - - corenet_send_nessus_client_packets($1) - corenet_receive_nessus_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nessus_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive nessus_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_nessus_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nessus_client_packets'($*)) dnl - - corenet_dontaudit_send_nessus_client_packets($1) - corenet_dontaudit_receive_nessus_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nessus_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to nessus_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_nessus_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nessus_client_packets'($*)) dnl - - gen_require(` - type nessus_client_packet_t; - ') - - allow $1 nessus_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_nessus_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send nessus_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_nessus_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_nessus_server_packets'($*)) dnl - - gen_require(` - type nessus_server_packet_t; - ') - - allow $1 nessus_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_nessus_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send nessus_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_nessus_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nessus_server_packets'($*)) dnl - - gen_require(` - type nessus_server_packet_t; - ') - - dontaudit $1 nessus_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nessus_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive nessus_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_nessus_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_nessus_server_packets'($*)) dnl - - gen_require(` - type nessus_server_packet_t; - ') - - allow $1 nessus_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_nessus_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive nessus_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_nessus_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nessus_server_packets'($*)) dnl - - gen_require(` - type nessus_server_packet_t; - ') - - dontaudit $1 nessus_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nessus_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive nessus_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_nessus_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nessus_server_packets'($*)) dnl - - corenet_send_nessus_server_packets($1) - corenet_receive_nessus_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nessus_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive nessus_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_nessus_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nessus_server_packets'($*)) dnl - - corenet_dontaudit_send_nessus_server_packets($1) - corenet_dontaudit_receive_nessus_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nessus_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to nessus_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_nessus_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nessus_server_packets'($*)) dnl - - gen_require(` - type nessus_server_packet_t; - ') - - allow $1 nessus_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_nessus_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the netport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_netport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_netport_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the netport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_netport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_netport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the netport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_netport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_netport_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the netport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_netport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_netport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the netport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_netport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_netport_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the netport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_netport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_netport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the netport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_netport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_netport_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the netport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_netport_port'($*)) dnl - - gen_require(` - type netport_port_t; - ') - - allow $1 netport_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_netport_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the netport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_netport_port'($*)) dnl - - gen_require(` - type netport_port_t; - ') - - allow $1 netport_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_netport_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the netport port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_netport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_netport_port'($*)) dnl - - gen_require(` - type netport_port_t; - ') - - allow $1 netport_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_netport_port'($*)) dnl - ') - - - -######################################## -## -## Send netport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_netport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_netport_client_packets'($*)) dnl - - gen_require(` - type netport_client_packet_t; - ') - - allow $1 netport_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_netport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send netport_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_netport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netport_client_packets'($*)) dnl - - gen_require(` - type netport_client_packet_t; - ') - - dontaudit $1 netport_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netport_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive netport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_netport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_netport_client_packets'($*)) dnl - - gen_require(` - type netport_client_packet_t; - ') - - allow $1 netport_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_netport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive netport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_netport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netport_client_packets'($*)) dnl - - gen_require(` - type netport_client_packet_t; - ') - - dontaudit $1 netport_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netport_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive netport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_netport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netport_client_packets'($*)) dnl - - corenet_send_netport_client_packets($1) - corenet_receive_netport_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive netport_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_netport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netport_client_packets'($*)) dnl - - corenet_dontaudit_send_netport_client_packets($1) - corenet_dontaudit_receive_netport_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netport_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to netport_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_netport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netport_client_packets'($*)) dnl - - gen_require(` - type netport_client_packet_t; - ') - - allow $1 netport_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_netport_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send netport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_netport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_netport_server_packets'($*)) dnl - - gen_require(` - type netport_server_packet_t; - ') - - allow $1 netport_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_netport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send netport_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_netport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netport_server_packets'($*)) dnl - - gen_require(` - type netport_server_packet_t; - ') - - dontaudit $1 netport_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netport_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive netport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_netport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_netport_server_packets'($*)) dnl - - gen_require(` - type netport_server_packet_t; - ') - - allow $1 netport_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_netport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive netport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_netport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netport_server_packets'($*)) dnl - - gen_require(` - type netport_server_packet_t; - ') - - dontaudit $1 netport_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netport_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive netport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_netport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netport_server_packets'($*)) dnl - - corenet_send_netport_server_packets($1) - corenet_receive_netport_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive netport_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_netport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netport_server_packets'($*)) dnl - - corenet_dontaudit_send_netport_server_packets($1) - corenet_dontaudit_receive_netport_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netport_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to netport_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_netport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netport_server_packets'($*)) dnl - - gen_require(` - type netport_server_packet_t; - ') - - allow $1 netport_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_netport_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the netsupport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_netsupport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the netsupport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_netsupport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the netsupport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_netsupport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the netsupport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_netsupport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the netsupport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_netsupport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the netsupport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_netsupport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the netsupport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_netsupport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the netsupport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_netsupport_port'($*)) dnl - - gen_require(` - type netsupport_port_t; - ') - - allow $1 netsupport_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the netsupport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_netsupport_port'($*)) dnl - - gen_require(` - type netsupport_port_t; - ') - - allow $1 netsupport_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_netsupport_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the netsupport port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_netsupport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_netsupport_port'($*)) dnl - - gen_require(` - type netsupport_port_t; - ') - - allow $1 netsupport_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_netsupport_port'($*)) dnl - ') - - - -######################################## -## -## Send netsupport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_netsupport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_netsupport_client_packets'($*)) dnl - - gen_require(` - type netsupport_client_packet_t; - ') - - allow $1 netsupport_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_netsupport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send netsupport_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_netsupport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netsupport_client_packets'($*)) dnl - - gen_require(` - type netsupport_client_packet_t; - ') - - dontaudit $1 netsupport_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netsupport_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive netsupport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_netsupport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_netsupport_client_packets'($*)) dnl - - gen_require(` - type netsupport_client_packet_t; - ') - - allow $1 netsupport_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_netsupport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive netsupport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_netsupport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netsupport_client_packets'($*)) dnl - - gen_require(` - type netsupport_client_packet_t; - ') - - dontaudit $1 netsupport_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netsupport_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive netsupport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_netsupport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netsupport_client_packets'($*)) dnl - - corenet_send_netsupport_client_packets($1) - corenet_receive_netsupport_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netsupport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive netsupport_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_netsupport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netsupport_client_packets'($*)) dnl - - corenet_dontaudit_send_netsupport_client_packets($1) - corenet_dontaudit_receive_netsupport_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netsupport_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to netsupport_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_netsupport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netsupport_client_packets'($*)) dnl - - gen_require(` - type netsupport_client_packet_t; - ') - - allow $1 netsupport_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_netsupport_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send netsupport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_netsupport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_netsupport_server_packets'($*)) dnl - - gen_require(` - type netsupport_server_packet_t; - ') - - allow $1 netsupport_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_netsupport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send netsupport_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_netsupport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netsupport_server_packets'($*)) dnl - - gen_require(` - type netsupport_server_packet_t; - ') - - dontaudit $1 netsupport_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netsupport_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive netsupport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_netsupport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_netsupport_server_packets'($*)) dnl - - gen_require(` - type netsupport_server_packet_t; - ') - - allow $1 netsupport_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_netsupport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive netsupport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_netsupport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netsupport_server_packets'($*)) dnl - - gen_require(` - type netsupport_server_packet_t; - ') - - dontaudit $1 netsupport_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netsupport_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive netsupport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_netsupport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netsupport_server_packets'($*)) dnl - - corenet_send_netsupport_server_packets($1) - corenet_receive_netsupport_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netsupport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive netsupport_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_netsupport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netsupport_server_packets'($*)) dnl - - corenet_dontaudit_send_netsupport_server_packets($1) - corenet_dontaudit_receive_netsupport_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netsupport_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to netsupport_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_netsupport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netsupport_server_packets'($*)) dnl - - gen_require(` - type netsupport_server_packet_t; - ') - - allow $1 netsupport_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_netsupport_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the nfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nfs_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the nfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_nfs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the nfs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nfs_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the nfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nfs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the nfs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nfs_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the nfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nfs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the nfs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nfs_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the nfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nfs_port'($*)) dnl - - gen_require(` - type nfs_port_t; - ') - - allow $1 nfs_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nfs_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the nfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nfs_port'($*)) dnl - - gen_require(` - type nfs_port_t; - ') - - allow $1 nfs_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nfs_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the nfs port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_nfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nfs_port'($*)) dnl - - gen_require(` - type nfs_port_t; - ') - - allow $1 nfs_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nfs_port'($*)) dnl - ') - - - -######################################## -## -## Send nfs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_nfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_nfs_client_packets'($*)) dnl - - gen_require(` - type nfs_client_packet_t; - ') - - allow $1 nfs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_nfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send nfs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_nfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nfs_client_packets'($*)) dnl - - gen_require(` - type nfs_client_packet_t; - ') - - dontaudit $1 nfs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive nfs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_nfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_nfs_client_packets'($*)) dnl - - gen_require(` - type nfs_client_packet_t; - ') - - allow $1 nfs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_nfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive nfs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_nfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nfs_client_packets'($*)) dnl - - gen_require(` - type nfs_client_packet_t; - ') - - dontaudit $1 nfs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive nfs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_nfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nfs_client_packets'($*)) dnl - - corenet_send_nfs_client_packets($1) - corenet_receive_nfs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive nfs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_nfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nfs_client_packets'($*)) dnl - - corenet_dontaudit_send_nfs_client_packets($1) - corenet_dontaudit_receive_nfs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to nfs_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_nfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nfs_client_packets'($*)) dnl - - gen_require(` - type nfs_client_packet_t; - ') - - allow $1 nfs_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_nfs_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send nfs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_nfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_nfs_server_packets'($*)) dnl - - gen_require(` - type nfs_server_packet_t; - ') - - allow $1 nfs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_nfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send nfs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_nfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nfs_server_packets'($*)) dnl - - gen_require(` - type nfs_server_packet_t; - ') - - dontaudit $1 nfs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive nfs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_nfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_nfs_server_packets'($*)) dnl - - gen_require(` - type nfs_server_packet_t; - ') - - allow $1 nfs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_nfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive nfs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_nfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nfs_server_packets'($*)) dnl - - gen_require(` - type nfs_server_packet_t; - ') - - dontaudit $1 nfs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive nfs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_nfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nfs_server_packets'($*)) dnl - - corenet_send_nfs_server_packets($1) - corenet_receive_nfs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive nfs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_nfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nfs_server_packets'($*)) dnl - - corenet_dontaudit_send_nfs_server_packets($1) - corenet_dontaudit_receive_nfs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to nfs_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_nfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nfs_server_packets'($*)) dnl - - gen_require(` - type nfs_server_packet_t; - ') - - allow $1 nfs_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_nfs_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the nfsrdma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nfsrdma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the nfsrdma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nfsrdma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the nfsrdma port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nfsrdma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the nfsrdma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nfsrdma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the nfsrdma port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nfsrdma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the nfsrdma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nfsrdma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the nfsrdma port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nfsrdma_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the nfsrdma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nfsrdma_port'($*)) dnl - - gen_require(` - type nfsrdma_port_t; - ') - - allow $1 nfsrdma_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the nfsrdma port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nfsrdma_port'($*)) dnl - - gen_require(` - type nfsrdma_port_t; - ') - - allow $1 nfsrdma_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nfsrdma_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the nfsrdma port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_nfsrdma_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nfsrdma_port'($*)) dnl - - gen_require(` - type nfsrdma_port_t; - ') - - allow $1 nfsrdma_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nfsrdma_port'($*)) dnl - ') - - - -######################################## -## -## Send nfsrdma_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_nfsrdma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_nfsrdma_client_packets'($*)) dnl - - gen_require(` - type nfsrdma_client_packet_t; - ') - - allow $1 nfsrdma_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_nfsrdma_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send nfsrdma_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_nfsrdma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nfsrdma_client_packets'($*)) dnl - - gen_require(` - type nfsrdma_client_packet_t; - ') - - dontaudit $1 nfsrdma_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nfsrdma_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive nfsrdma_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_nfsrdma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_nfsrdma_client_packets'($*)) dnl - - gen_require(` - type nfsrdma_client_packet_t; - ') - - allow $1 nfsrdma_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_nfsrdma_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive nfsrdma_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_nfsrdma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nfsrdma_client_packets'($*)) dnl - - gen_require(` - type nfsrdma_client_packet_t; - ') - - dontaudit $1 nfsrdma_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nfsrdma_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive nfsrdma_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_nfsrdma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nfsrdma_client_packets'($*)) dnl - - corenet_send_nfsrdma_client_packets($1) - corenet_receive_nfsrdma_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nfsrdma_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive nfsrdma_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_nfsrdma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nfsrdma_client_packets'($*)) dnl - - corenet_dontaudit_send_nfsrdma_client_packets($1) - corenet_dontaudit_receive_nfsrdma_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nfsrdma_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to nfsrdma_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_nfsrdma_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nfsrdma_client_packets'($*)) dnl - - gen_require(` - type nfsrdma_client_packet_t; - ') - - allow $1 nfsrdma_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_nfsrdma_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send nfsrdma_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_nfsrdma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_nfsrdma_server_packets'($*)) dnl - - gen_require(` - type nfsrdma_server_packet_t; - ') - - allow $1 nfsrdma_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_nfsrdma_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send nfsrdma_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_nfsrdma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nfsrdma_server_packets'($*)) dnl - - gen_require(` - type nfsrdma_server_packet_t; - ') - - dontaudit $1 nfsrdma_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nfsrdma_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive nfsrdma_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_nfsrdma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_nfsrdma_server_packets'($*)) dnl - - gen_require(` - type nfsrdma_server_packet_t; - ') - - allow $1 nfsrdma_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_nfsrdma_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive nfsrdma_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_nfsrdma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nfsrdma_server_packets'($*)) dnl - - gen_require(` - type nfsrdma_server_packet_t; - ') - - dontaudit $1 nfsrdma_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nfsrdma_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive nfsrdma_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_nfsrdma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nfsrdma_server_packets'($*)) dnl - - corenet_send_nfsrdma_server_packets($1) - corenet_receive_nfsrdma_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nfsrdma_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive nfsrdma_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_nfsrdma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nfsrdma_server_packets'($*)) dnl - - corenet_dontaudit_send_nfsrdma_server_packets($1) - corenet_dontaudit_receive_nfsrdma_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nfsrdma_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to nfsrdma_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_nfsrdma_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nfsrdma_server_packets'($*)) dnl - - gen_require(` - type nfsrdma_server_packet_t; - ') - - allow $1 nfsrdma_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_nfsrdma_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the nmbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nmbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the nmbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nmbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the nmbd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nmbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the nmbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nmbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the nmbd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nmbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the nmbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nmbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the nmbd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nmbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the nmbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nmbd_port'($*)) dnl - - gen_require(` - type nmbd_port_t; - ') - - allow $1 nmbd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the nmbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nmbd_port'($*)) dnl - - gen_require(` - type nmbd_port_t; - ') - - allow $1 nmbd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nmbd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the nmbd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_nmbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nmbd_port'($*)) dnl - - gen_require(` - type nmbd_port_t; - ') - - allow $1 nmbd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nmbd_port'($*)) dnl - ') - - - -######################################## -## -## Send nmbd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_nmbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_nmbd_client_packets'($*)) dnl - - gen_require(` - type nmbd_client_packet_t; - ') - - allow $1 nmbd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_nmbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send nmbd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_nmbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmbd_client_packets'($*)) dnl - - gen_require(` - type nmbd_client_packet_t; - ') - - dontaudit $1 nmbd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive nmbd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_nmbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_nmbd_client_packets'($*)) dnl - - gen_require(` - type nmbd_client_packet_t; - ') - - allow $1 nmbd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_nmbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive nmbd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_nmbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmbd_client_packets'($*)) dnl - - gen_require(` - type nmbd_client_packet_t; - ') - - dontaudit $1 nmbd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive nmbd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_nmbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmbd_client_packets'($*)) dnl - - corenet_send_nmbd_client_packets($1) - corenet_receive_nmbd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive nmbd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_nmbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmbd_client_packets'($*)) dnl - - corenet_dontaudit_send_nmbd_client_packets($1) - corenet_dontaudit_receive_nmbd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to nmbd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_nmbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmbd_client_packets'($*)) dnl - - gen_require(` - type nmbd_client_packet_t; - ') - - allow $1 nmbd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmbd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send nmbd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_nmbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_nmbd_server_packets'($*)) dnl - - gen_require(` - type nmbd_server_packet_t; - ') - - allow $1 nmbd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_nmbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send nmbd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_nmbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmbd_server_packets'($*)) dnl - - gen_require(` - type nmbd_server_packet_t; - ') - - dontaudit $1 nmbd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive nmbd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_nmbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_nmbd_server_packets'($*)) dnl - - gen_require(` - type nmbd_server_packet_t; - ') - - allow $1 nmbd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_nmbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive nmbd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_nmbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmbd_server_packets'($*)) dnl - - gen_require(` - type nmbd_server_packet_t; - ') - - dontaudit $1 nmbd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive nmbd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_nmbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmbd_server_packets'($*)) dnl - - corenet_send_nmbd_server_packets($1) - corenet_receive_nmbd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive nmbd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_nmbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmbd_server_packets'($*)) dnl - - corenet_dontaudit_send_nmbd_server_packets($1) - corenet_dontaudit_receive_nmbd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to nmbd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_nmbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmbd_server_packets'($*)) dnl - - gen_require(` - type nmbd_server_packet_t; - ') - - allow $1 nmbd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmbd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ntop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntop_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ntop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ntop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntop_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ntop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ntop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntop_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ntop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ntop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntop_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ntop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntop_port'($*)) dnl - - gen_require(` - type ntop_port_t; - ') - - allow $1 ntop_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntop_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ntop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntop_port'($*)) dnl - - gen_require(` - type ntop_port_t; - ') - - allow $1 ntop_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntop_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ntop port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ntop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntop_port'($*)) dnl - - gen_require(` - type ntop_port_t; - ') - - allow $1 ntop_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntop_port'($*)) dnl - ') - - - -######################################## -## -## Send ntop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ntop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ntop_client_packets'($*)) dnl - - gen_require(` - type ntop_client_packet_t; - ') - - allow $1 ntop_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ntop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ntop_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ntop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntop_client_packets'($*)) dnl - - gen_require(` - type ntop_client_packet_t; - ') - - dontaudit $1 ntop_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntop_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ntop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ntop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ntop_client_packets'($*)) dnl - - gen_require(` - type ntop_client_packet_t; - ') - - allow $1 ntop_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ntop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ntop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ntop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntop_client_packets'($*)) dnl - - gen_require(` - type ntop_client_packet_t; - ') - - dontaudit $1 ntop_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntop_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ntop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ntop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntop_client_packets'($*)) dnl - - corenet_send_ntop_client_packets($1) - corenet_receive_ntop_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ntop_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ntop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntop_client_packets'($*)) dnl - - corenet_dontaudit_send_ntop_client_packets($1) - corenet_dontaudit_receive_ntop_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntop_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ntop_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ntop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntop_client_packets'($*)) dnl - - gen_require(` - type ntop_client_packet_t; - ') - - allow $1 ntop_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntop_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ntop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ntop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ntop_server_packets'($*)) dnl - - gen_require(` - type ntop_server_packet_t; - ') - - allow $1 ntop_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ntop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ntop_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ntop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntop_server_packets'($*)) dnl - - gen_require(` - type ntop_server_packet_t; - ') - - dontaudit $1 ntop_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntop_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ntop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ntop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ntop_server_packets'($*)) dnl - - gen_require(` - type ntop_server_packet_t; - ') - - allow $1 ntop_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ntop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ntop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ntop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntop_server_packets'($*)) dnl - - gen_require(` - type ntop_server_packet_t; - ') - - dontaudit $1 ntop_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntop_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ntop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ntop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntop_server_packets'($*)) dnl - - corenet_send_ntop_server_packets($1) - corenet_receive_ntop_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ntop_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ntop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntop_server_packets'($*)) dnl - - corenet_dontaudit_send_ntop_server_packets($1) - corenet_dontaudit_receive_ntop_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntop_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ntop_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ntop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntop_server_packets'($*)) dnl - - gen_require(` - type ntop_server_packet_t; - ') - - allow $1 ntop_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntop_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ntp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ntp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ntp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ntp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ntp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ntp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ntp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ntp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntp_port'($*)) dnl - - gen_require(` - type ntp_port_t; - ') - - allow $1 ntp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ntp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntp_port'($*)) dnl - - gen_require(` - type ntp_port_t; - ') - - allow $1 ntp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ntp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ntp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntp_port'($*)) dnl - - gen_require(` - type ntp_port_t; - ') - - allow $1 ntp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntp_port'($*)) dnl - ') - - - -######################################## -## -## Send ntp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ntp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ntp_client_packets'($*)) dnl - - gen_require(` - type ntp_client_packet_t; - ') - - allow $1 ntp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ntp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ntp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ntp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntp_client_packets'($*)) dnl - - gen_require(` - type ntp_client_packet_t; - ') - - dontaudit $1 ntp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ntp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ntp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ntp_client_packets'($*)) dnl - - gen_require(` - type ntp_client_packet_t; - ') - - allow $1 ntp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ntp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ntp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ntp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntp_client_packets'($*)) dnl - - gen_require(` - type ntp_client_packet_t; - ') - - dontaudit $1 ntp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ntp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ntp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntp_client_packets'($*)) dnl - - corenet_send_ntp_client_packets($1) - corenet_receive_ntp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ntp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ntp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntp_client_packets'($*)) dnl - - corenet_dontaudit_send_ntp_client_packets($1) - corenet_dontaudit_receive_ntp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ntp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ntp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntp_client_packets'($*)) dnl - - gen_require(` - type ntp_client_packet_t; - ') - - allow $1 ntp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ntp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ntp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ntp_server_packets'($*)) dnl - - gen_require(` - type ntp_server_packet_t; - ') - - allow $1 ntp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ntp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ntp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ntp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntp_server_packets'($*)) dnl - - gen_require(` - type ntp_server_packet_t; - ') - - dontaudit $1 ntp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ntp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ntp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ntp_server_packets'($*)) dnl - - gen_require(` - type ntp_server_packet_t; - ') - - allow $1 ntp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ntp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ntp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ntp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntp_server_packets'($*)) dnl - - gen_require(` - type ntp_server_packet_t; - ') - - dontaudit $1 ntp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ntp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ntp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntp_server_packets'($*)) dnl - - corenet_send_ntp_server_packets($1) - corenet_receive_ntp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ntp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ntp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntp_server_packets'($*)) dnl - - corenet_dontaudit_send_ntp_server_packets($1) - corenet_dontaudit_receive_ntp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ntp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ntp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntp_server_packets'($*)) dnl - - gen_require(` - type ntp_server_packet_t; - ') - - allow $1 ntp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the oa_system port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_oa_system_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the oa_system port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_oa_system_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the oa_system port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_oa_system_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the oa_system port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_oa_system_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the oa_system port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_oa_system_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the oa_system port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_oa_system_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the oa_system port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_oa_system_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the oa_system port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_oa_system_port'($*)) dnl - - gen_require(` - type oa_system_port_t; - ') - - allow $1 oa_system_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the oa_system port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_oa_system_port'($*)) dnl - - gen_require(` - type oa_system_port_t; - ') - - allow $1 oa_system_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_oa_system_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the oa_system port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_oa_system_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_oa_system_port'($*)) dnl - - gen_require(` - type oa_system_port_t; - ') - - allow $1 oa_system_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_oa_system_port'($*)) dnl - ') - - - -######################################## -## -## Send oa_system_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_oa_system_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_oa_system_client_packets'($*)) dnl - - gen_require(` - type oa_system_client_packet_t; - ') - - allow $1 oa_system_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_oa_system_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send oa_system_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_oa_system_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oa_system_client_packets'($*)) dnl - - gen_require(` - type oa_system_client_packet_t; - ') - - dontaudit $1 oa_system_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oa_system_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive oa_system_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_oa_system_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_oa_system_client_packets'($*)) dnl - - gen_require(` - type oa_system_client_packet_t; - ') - - allow $1 oa_system_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_oa_system_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive oa_system_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_oa_system_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oa_system_client_packets'($*)) dnl - - gen_require(` - type oa_system_client_packet_t; - ') - - dontaudit $1 oa_system_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oa_system_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive oa_system_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_oa_system_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oa_system_client_packets'($*)) dnl - - corenet_send_oa_system_client_packets($1) - corenet_receive_oa_system_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oa_system_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive oa_system_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_oa_system_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oa_system_client_packets'($*)) dnl - - corenet_dontaudit_send_oa_system_client_packets($1) - corenet_dontaudit_receive_oa_system_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oa_system_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to oa_system_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_oa_system_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oa_system_client_packets'($*)) dnl - - gen_require(` - type oa_system_client_packet_t; - ') - - allow $1 oa_system_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_oa_system_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send oa_system_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_oa_system_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_oa_system_server_packets'($*)) dnl - - gen_require(` - type oa_system_server_packet_t; - ') - - allow $1 oa_system_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_oa_system_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send oa_system_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_oa_system_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oa_system_server_packets'($*)) dnl - - gen_require(` - type oa_system_server_packet_t; - ') - - dontaudit $1 oa_system_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oa_system_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive oa_system_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_oa_system_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_oa_system_server_packets'($*)) dnl - - gen_require(` - type oa_system_server_packet_t; - ') - - allow $1 oa_system_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_oa_system_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive oa_system_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_oa_system_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oa_system_server_packets'($*)) dnl - - gen_require(` - type oa_system_server_packet_t; - ') - - dontaudit $1 oa_system_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oa_system_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive oa_system_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_oa_system_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oa_system_server_packets'($*)) dnl - - corenet_send_oa_system_server_packets($1) - corenet_receive_oa_system_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oa_system_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive oa_system_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_oa_system_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oa_system_server_packets'($*)) dnl - - corenet_dontaudit_send_oa_system_server_packets($1) - corenet_dontaudit_receive_oa_system_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oa_system_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to oa_system_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_oa_system_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oa_system_server_packets'($*)) dnl - - gen_require(` - type oa_system_server_packet_t; - ') - - allow $1 oa_system_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_oa_system_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the oracledb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_oracledb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the oracledb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_oracledb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the oracledb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_oracledb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the oracledb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_oracledb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the oracledb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_oracledb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the oracledb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_oracledb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the oracledb port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_oracledb_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the oracledb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_oracledb_port'($*)) dnl - - gen_require(` - type oracledb_port_t; - ') - - allow $1 oracledb_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the oracledb port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_oracledb_port'($*)) dnl - - gen_require(` - type oracledb_port_t; - ') - - allow $1 oracledb_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_oracledb_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the oracledb port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_oracledb_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_oracledb_port'($*)) dnl - - gen_require(` - type oracledb_port_t; - ') - - allow $1 oracledb_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_oracledb_port'($*)) dnl - ') - - - -######################################## -## -## Send oracledb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_oracledb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_oracledb_client_packets'($*)) dnl - - gen_require(` - type oracledb_client_packet_t; - ') - - allow $1 oracledb_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_oracledb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send oracledb_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_oracledb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oracledb_client_packets'($*)) dnl - - gen_require(` - type oracledb_client_packet_t; - ') - - dontaudit $1 oracledb_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oracledb_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive oracledb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_oracledb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_oracledb_client_packets'($*)) dnl - - gen_require(` - type oracledb_client_packet_t; - ') - - allow $1 oracledb_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_oracledb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive oracledb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_oracledb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oracledb_client_packets'($*)) dnl - - gen_require(` - type oracledb_client_packet_t; - ') - - dontaudit $1 oracledb_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oracledb_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive oracledb_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_oracledb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oracledb_client_packets'($*)) dnl - - corenet_send_oracledb_client_packets($1) - corenet_receive_oracledb_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oracledb_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive oracledb_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_oracledb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oracledb_client_packets'($*)) dnl - - corenet_dontaudit_send_oracledb_client_packets($1) - corenet_dontaudit_receive_oracledb_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oracledb_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to oracledb_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_oracledb_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oracledb_client_packets'($*)) dnl - - gen_require(` - type oracledb_client_packet_t; - ') - - allow $1 oracledb_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_oracledb_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send oracledb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_oracledb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_oracledb_server_packets'($*)) dnl - - gen_require(` - type oracledb_server_packet_t; - ') - - allow $1 oracledb_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_oracledb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send oracledb_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_oracledb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oracledb_server_packets'($*)) dnl - - gen_require(` - type oracledb_server_packet_t; - ') - - dontaudit $1 oracledb_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oracledb_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive oracledb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_oracledb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_oracledb_server_packets'($*)) dnl - - gen_require(` - type oracledb_server_packet_t; - ') - - allow $1 oracledb_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_oracledb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive oracledb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_oracledb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oracledb_server_packets'($*)) dnl - - gen_require(` - type oracledb_server_packet_t; - ') - - dontaudit $1 oracledb_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oracledb_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive oracledb_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_oracledb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oracledb_server_packets'($*)) dnl - - corenet_send_oracledb_server_packets($1) - corenet_receive_oracledb_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oracledb_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive oracledb_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_oracledb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oracledb_server_packets'($*)) dnl - - corenet_dontaudit_send_oracledb_server_packets($1) - corenet_dontaudit_receive_oracledb_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oracledb_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to oracledb_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_oracledb_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oracledb_server_packets'($*)) dnl - - gen_require(` - type oracledb_server_packet_t; - ') - - allow $1 oracledb_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_oracledb_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ocsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ocsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ocsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ocsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ocsp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ocsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ocsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ocsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ocsp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ocsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ocsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ocsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ocsp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ocsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ocsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ocsp_port'($*)) dnl - - gen_require(` - type ocsp_port_t; - ') - - allow $1 ocsp_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ocsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ocsp_port'($*)) dnl - - gen_require(` - type ocsp_port_t; - ') - - allow $1 ocsp_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ocsp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ocsp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ocsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ocsp_port'($*)) dnl - - gen_require(` - type ocsp_port_t; - ') - - allow $1 ocsp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ocsp_port'($*)) dnl - ') - - - -######################################## -## -## Send ocsp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ocsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ocsp_client_packets'($*)) dnl - - gen_require(` - type ocsp_client_packet_t; - ') - - allow $1 ocsp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ocsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ocsp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ocsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ocsp_client_packets'($*)) dnl - - gen_require(` - type ocsp_client_packet_t; - ') - - dontaudit $1 ocsp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ocsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ocsp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ocsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ocsp_client_packets'($*)) dnl - - gen_require(` - type ocsp_client_packet_t; - ') - - allow $1 ocsp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ocsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ocsp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ocsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ocsp_client_packets'($*)) dnl - - gen_require(` - type ocsp_client_packet_t; - ') - - dontaudit $1 ocsp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ocsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ocsp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ocsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ocsp_client_packets'($*)) dnl - - corenet_send_ocsp_client_packets($1) - corenet_receive_ocsp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ocsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ocsp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ocsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ocsp_client_packets'($*)) dnl - - corenet_dontaudit_send_ocsp_client_packets($1) - corenet_dontaudit_receive_ocsp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ocsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ocsp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ocsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ocsp_client_packets'($*)) dnl - - gen_require(` - type ocsp_client_packet_t; - ') - - allow $1 ocsp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ocsp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ocsp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ocsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ocsp_server_packets'($*)) dnl - - gen_require(` - type ocsp_server_packet_t; - ') - - allow $1 ocsp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ocsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ocsp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ocsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ocsp_server_packets'($*)) dnl - - gen_require(` - type ocsp_server_packet_t; - ') - - dontaudit $1 ocsp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ocsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ocsp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ocsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ocsp_server_packets'($*)) dnl - - gen_require(` - type ocsp_server_packet_t; - ') - - allow $1 ocsp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ocsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ocsp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ocsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ocsp_server_packets'($*)) dnl - - gen_require(` - type ocsp_server_packet_t; - ') - - dontaudit $1 ocsp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ocsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ocsp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ocsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ocsp_server_packets'($*)) dnl - - corenet_send_ocsp_server_packets($1) - corenet_receive_ocsp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ocsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ocsp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ocsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ocsp_server_packets'($*)) dnl - - corenet_dontaudit_send_ocsp_server_packets($1) - corenet_dontaudit_receive_ocsp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ocsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ocsp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ocsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ocsp_server_packets'($*)) dnl - - gen_require(` - type ocsp_server_packet_t; - ') - - allow $1 ocsp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ocsp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the openhpid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openhpid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the openhpid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openhpid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the openhpid port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openhpid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the openhpid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openhpid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the openhpid port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openhpid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the openhpid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openhpid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the openhpid port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openhpid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the openhpid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openhpid_port'($*)) dnl - - gen_require(` - type openhpid_port_t; - ') - - allow $1 openhpid_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the openhpid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openhpid_port'($*)) dnl - - gen_require(` - type openhpid_port_t; - ') - - allow $1 openhpid_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openhpid_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the openhpid port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_openhpid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openhpid_port'($*)) dnl - - gen_require(` - type openhpid_port_t; - ') - - allow $1 openhpid_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openhpid_port'($*)) dnl - ') - - - -######################################## -## -## Send openhpid_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_openhpid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_openhpid_client_packets'($*)) dnl - - gen_require(` - type openhpid_client_packet_t; - ') - - allow $1 openhpid_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_openhpid_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send openhpid_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_openhpid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openhpid_client_packets'($*)) dnl - - gen_require(` - type openhpid_client_packet_t; - ') - - dontaudit $1 openhpid_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openhpid_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive openhpid_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_openhpid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_openhpid_client_packets'($*)) dnl - - gen_require(` - type openhpid_client_packet_t; - ') - - allow $1 openhpid_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_openhpid_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive openhpid_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_openhpid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openhpid_client_packets'($*)) dnl - - gen_require(` - type openhpid_client_packet_t; - ') - - dontaudit $1 openhpid_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openhpid_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive openhpid_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_openhpid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openhpid_client_packets'($*)) dnl - - corenet_send_openhpid_client_packets($1) - corenet_receive_openhpid_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openhpid_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive openhpid_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_openhpid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openhpid_client_packets'($*)) dnl - - corenet_dontaudit_send_openhpid_client_packets($1) - corenet_dontaudit_receive_openhpid_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openhpid_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to openhpid_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_openhpid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openhpid_client_packets'($*)) dnl - - gen_require(` - type openhpid_client_packet_t; - ') - - allow $1 openhpid_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_openhpid_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send openhpid_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_openhpid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_openhpid_server_packets'($*)) dnl - - gen_require(` - type openhpid_server_packet_t; - ') - - allow $1 openhpid_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_openhpid_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send openhpid_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_openhpid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openhpid_server_packets'($*)) dnl - - gen_require(` - type openhpid_server_packet_t; - ') - - dontaudit $1 openhpid_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openhpid_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive openhpid_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_openhpid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_openhpid_server_packets'($*)) dnl - - gen_require(` - type openhpid_server_packet_t; - ') - - allow $1 openhpid_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_openhpid_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive openhpid_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_openhpid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openhpid_server_packets'($*)) dnl - - gen_require(` - type openhpid_server_packet_t; - ') - - dontaudit $1 openhpid_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openhpid_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive openhpid_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_openhpid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openhpid_server_packets'($*)) dnl - - corenet_send_openhpid_server_packets($1) - corenet_receive_openhpid_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openhpid_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive openhpid_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_openhpid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openhpid_server_packets'($*)) dnl - - corenet_dontaudit_send_openhpid_server_packets($1) - corenet_dontaudit_receive_openhpid_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openhpid_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to openhpid_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_openhpid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openhpid_server_packets'($*)) dnl - - gen_require(` - type openhpid_server_packet_t; - ') - - allow $1 openhpid_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_openhpid_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the openvpn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openvpn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the openvpn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openvpn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the openvpn port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openvpn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the openvpn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openvpn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the openvpn port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openvpn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the openvpn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openvpn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the openvpn port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openvpn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the openvpn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openvpn_port'($*)) dnl - - gen_require(` - type openvpn_port_t; - ') - - allow $1 openvpn_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the openvpn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openvpn_port'($*)) dnl - - gen_require(` - type openvpn_port_t; - ') - - allow $1 openvpn_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openvpn_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the openvpn port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_openvpn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openvpn_port'($*)) dnl - - gen_require(` - type openvpn_port_t; - ') - - allow $1 openvpn_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openvpn_port'($*)) dnl - ') - - - -######################################## -## -## Send openvpn_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_openvpn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_openvpn_client_packets'($*)) dnl - - gen_require(` - type openvpn_client_packet_t; - ') - - allow $1 openvpn_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_openvpn_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send openvpn_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_openvpn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvpn_client_packets'($*)) dnl - - gen_require(` - type openvpn_client_packet_t; - ') - - dontaudit $1 openvpn_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvpn_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive openvpn_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_openvpn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_openvpn_client_packets'($*)) dnl - - gen_require(` - type openvpn_client_packet_t; - ') - - allow $1 openvpn_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_openvpn_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive openvpn_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_openvpn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvpn_client_packets'($*)) dnl - - gen_require(` - type openvpn_client_packet_t; - ') - - dontaudit $1 openvpn_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvpn_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive openvpn_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_openvpn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvpn_client_packets'($*)) dnl - - corenet_send_openvpn_client_packets($1) - corenet_receive_openvpn_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvpn_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive openvpn_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_openvpn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvpn_client_packets'($*)) dnl - - corenet_dontaudit_send_openvpn_client_packets($1) - corenet_dontaudit_receive_openvpn_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvpn_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to openvpn_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_openvpn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvpn_client_packets'($*)) dnl - - gen_require(` - type openvpn_client_packet_t; - ') - - allow $1 openvpn_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvpn_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send openvpn_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_openvpn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_openvpn_server_packets'($*)) dnl - - gen_require(` - type openvpn_server_packet_t; - ') - - allow $1 openvpn_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_openvpn_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send openvpn_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_openvpn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvpn_server_packets'($*)) dnl - - gen_require(` - type openvpn_server_packet_t; - ') - - dontaudit $1 openvpn_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvpn_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive openvpn_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_openvpn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_openvpn_server_packets'($*)) dnl - - gen_require(` - type openvpn_server_packet_t; - ') - - allow $1 openvpn_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_openvpn_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive openvpn_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_openvpn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvpn_server_packets'($*)) dnl - - gen_require(` - type openvpn_server_packet_t; - ') - - dontaudit $1 openvpn_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvpn_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive openvpn_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_openvpn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvpn_server_packets'($*)) dnl - - corenet_send_openvpn_server_packets($1) - corenet_receive_openvpn_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvpn_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive openvpn_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_openvpn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvpn_server_packets'($*)) dnl - - corenet_dontaudit_send_openvpn_server_packets($1) - corenet_dontaudit_receive_openvpn_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvpn_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to openvpn_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_openvpn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvpn_server_packets'($*)) dnl - - gen_require(` - type openvpn_server_packet_t; - ') - - allow $1 openvpn_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvpn_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pdps port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pdps_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pdps_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pdps port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pdps_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pdps_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pdps port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pdps_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pdps_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pdps port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pdps_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pdps_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pdps port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pdps_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pdps_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pdps port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pdps_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pdps_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pdps port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pdps_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pdps_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pdps port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pdps_port'($*)) dnl - - gen_require(` - type pdps_port_t; - ') - - allow $1 pdps_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pdps_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pdps port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pdps_port'($*)) dnl - - gen_require(` - type pdps_port_t; - ') - - allow $1 pdps_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pdps_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pdps port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pdps_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pdps_port'($*)) dnl - - gen_require(` - type pdps_port_t; - ') - - allow $1 pdps_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pdps_port'($*)) dnl - ') - - - -######################################## -## -## Send pdps_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pdps_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pdps_client_packets'($*)) dnl - - gen_require(` - type pdps_client_packet_t; - ') - - allow $1 pdps_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pdps_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pdps_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pdps_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pdps_client_packets'($*)) dnl - - gen_require(` - type pdps_client_packet_t; - ') - - dontaudit $1 pdps_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pdps_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pdps_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pdps_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pdps_client_packets'($*)) dnl - - gen_require(` - type pdps_client_packet_t; - ') - - allow $1 pdps_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pdps_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pdps_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pdps_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pdps_client_packets'($*)) dnl - - gen_require(` - type pdps_client_packet_t; - ') - - dontaudit $1 pdps_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pdps_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pdps_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pdps_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pdps_client_packets'($*)) dnl - - corenet_send_pdps_client_packets($1) - corenet_receive_pdps_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pdps_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pdps_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pdps_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pdps_client_packets'($*)) dnl - - corenet_dontaudit_send_pdps_client_packets($1) - corenet_dontaudit_receive_pdps_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pdps_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pdps_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pdps_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pdps_client_packets'($*)) dnl - - gen_require(` - type pdps_client_packet_t; - ') - - allow $1 pdps_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pdps_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pdps_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pdps_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pdps_server_packets'($*)) dnl - - gen_require(` - type pdps_server_packet_t; - ') - - allow $1 pdps_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pdps_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pdps_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pdps_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pdps_server_packets'($*)) dnl - - gen_require(` - type pdps_server_packet_t; - ') - - dontaudit $1 pdps_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pdps_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pdps_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pdps_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pdps_server_packets'($*)) dnl - - gen_require(` - type pdps_server_packet_t; - ') - - allow $1 pdps_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pdps_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pdps_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pdps_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pdps_server_packets'($*)) dnl - - gen_require(` - type pdps_server_packet_t; - ') - - dontaudit $1 pdps_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pdps_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pdps_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pdps_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pdps_server_packets'($*)) dnl - - corenet_send_pdps_server_packets($1) - corenet_receive_pdps_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pdps_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pdps_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pdps_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pdps_server_packets'($*)) dnl - - corenet_dontaudit_send_pdps_server_packets($1) - corenet_dontaudit_receive_pdps_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pdps_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pdps_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pdps_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pdps_server_packets'($*)) dnl - - gen_require(` - type pdps_server_packet_t; - ') - - allow $1 pdps_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pdps_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pegasus_http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pegasus_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pegasus_http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pegasus_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pegasus_http port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pegasus_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pegasus_http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pegasus_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pegasus_http port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pegasus_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pegasus_http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pegasus_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pegasus_http port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pegasus_http_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pegasus_http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pegasus_http_port'($*)) dnl - - gen_require(` - type pegasus_http_port_t; - ') - - allow $1 pegasus_http_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pegasus_http port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pegasus_http_port'($*)) dnl - - gen_require(` - type pegasus_http_port_t; - ') - - allow $1 pegasus_http_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pegasus_http_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pegasus_http port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pegasus_http_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pegasus_http_port'($*)) dnl - - gen_require(` - type pegasus_http_port_t; - ') - - allow $1 pegasus_http_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pegasus_http_port'($*)) dnl - ') - - - -######################################## -## -## Send pegasus_http_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pegasus_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_http_client_packets'($*)) dnl - - gen_require(` - type pegasus_http_client_packet_t; - ') - - allow $1 pegasus_http_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pegasus_http_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pegasus_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_http_client_packets'($*)) dnl - - gen_require(` - type pegasus_http_client_packet_t; - ') - - dontaudit $1 pegasus_http_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pegasus_http_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pegasus_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_http_client_packets'($*)) dnl - - gen_require(` - type pegasus_http_client_packet_t; - ') - - allow $1 pegasus_http_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pegasus_http_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pegasus_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_http_client_packets'($*)) dnl - - gen_require(` - type pegasus_http_client_packet_t; - ') - - dontaudit $1 pegasus_http_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pegasus_http_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pegasus_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_http_client_packets'($*)) dnl - - corenet_send_pegasus_http_client_packets($1) - corenet_receive_pegasus_http_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pegasus_http_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pegasus_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_http_client_packets'($*)) dnl - - corenet_dontaudit_send_pegasus_http_client_packets($1) - corenet_dontaudit_receive_pegasus_http_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_http_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pegasus_http_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pegasus_http_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_http_client_packets'($*)) dnl - - gen_require(` - type pegasus_http_client_packet_t; - ') - - allow $1 pegasus_http_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_http_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pegasus_http_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pegasus_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_http_server_packets'($*)) dnl - - gen_require(` - type pegasus_http_server_packet_t; - ') - - allow $1 pegasus_http_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pegasus_http_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pegasus_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_http_server_packets'($*)) dnl - - gen_require(` - type pegasus_http_server_packet_t; - ') - - dontaudit $1 pegasus_http_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pegasus_http_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pegasus_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_http_server_packets'($*)) dnl - - gen_require(` - type pegasus_http_server_packet_t; - ') - - allow $1 pegasus_http_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pegasus_http_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pegasus_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_http_server_packets'($*)) dnl - - gen_require(` - type pegasus_http_server_packet_t; - ') - - dontaudit $1 pegasus_http_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pegasus_http_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pegasus_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_http_server_packets'($*)) dnl - - corenet_send_pegasus_http_server_packets($1) - corenet_receive_pegasus_http_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pegasus_http_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pegasus_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_http_server_packets'($*)) dnl - - corenet_dontaudit_send_pegasus_http_server_packets($1) - corenet_dontaudit_receive_pegasus_http_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_http_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pegasus_http_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pegasus_http_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_http_server_packets'($*)) dnl - - gen_require(` - type pegasus_http_server_packet_t; - ') - - allow $1 pegasus_http_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_http_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pegasus_https port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pegasus_https_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pegasus_https port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pegasus_https_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pegasus_https port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pegasus_https_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pegasus_https port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pegasus_https_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pegasus_https port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pegasus_https_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pegasus_https port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pegasus_https_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pegasus_https port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pegasus_https_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pegasus_https port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pegasus_https_port'($*)) dnl - - gen_require(` - type pegasus_https_port_t; - ') - - allow $1 pegasus_https_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pegasus_https port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pegasus_https_port'($*)) dnl - - gen_require(` - type pegasus_https_port_t; - ') - - allow $1 pegasus_https_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pegasus_https_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pegasus_https port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pegasus_https_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pegasus_https_port'($*)) dnl - - gen_require(` - type pegasus_https_port_t; - ') - - allow $1 pegasus_https_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pegasus_https_port'($*)) dnl - ') - - - -######################################## -## -## Send pegasus_https_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pegasus_https_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_https_client_packets'($*)) dnl - - gen_require(` - type pegasus_https_client_packet_t; - ') - - allow $1 pegasus_https_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_https_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pegasus_https_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pegasus_https_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_https_client_packets'($*)) dnl - - gen_require(` - type pegasus_https_client_packet_t; - ') - - dontaudit $1 pegasus_https_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_https_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pegasus_https_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pegasus_https_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_https_client_packets'($*)) dnl - - gen_require(` - type pegasus_https_client_packet_t; - ') - - allow $1 pegasus_https_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_https_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pegasus_https_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pegasus_https_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_https_client_packets'($*)) dnl - - gen_require(` - type pegasus_https_client_packet_t; - ') - - dontaudit $1 pegasus_https_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_https_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pegasus_https_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pegasus_https_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_https_client_packets'($*)) dnl - - corenet_send_pegasus_https_client_packets($1) - corenet_receive_pegasus_https_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_https_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pegasus_https_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pegasus_https_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_https_client_packets'($*)) dnl - - corenet_dontaudit_send_pegasus_https_client_packets($1) - corenet_dontaudit_receive_pegasus_https_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_https_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pegasus_https_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pegasus_https_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_https_client_packets'($*)) dnl - - gen_require(` - type pegasus_https_client_packet_t; - ') - - allow $1 pegasus_https_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_https_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pegasus_https_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pegasus_https_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_https_server_packets'($*)) dnl - - gen_require(` - type pegasus_https_server_packet_t; - ') - - allow $1 pegasus_https_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_https_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pegasus_https_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pegasus_https_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_https_server_packets'($*)) dnl - - gen_require(` - type pegasus_https_server_packet_t; - ') - - dontaudit $1 pegasus_https_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_https_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pegasus_https_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pegasus_https_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_https_server_packets'($*)) dnl - - gen_require(` - type pegasus_https_server_packet_t; - ') - - allow $1 pegasus_https_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_https_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pegasus_https_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pegasus_https_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_https_server_packets'($*)) dnl - - gen_require(` - type pegasus_https_server_packet_t; - ') - - dontaudit $1 pegasus_https_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_https_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pegasus_https_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pegasus_https_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_https_server_packets'($*)) dnl - - corenet_send_pegasus_https_server_packets($1) - corenet_receive_pegasus_https_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_https_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pegasus_https_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pegasus_https_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_https_server_packets'($*)) dnl - - corenet_dontaudit_send_pegasus_https_server_packets($1) - corenet_dontaudit_receive_pegasus_https_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_https_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pegasus_https_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pegasus_https_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_https_server_packets'($*)) dnl - - gen_require(` - type pegasus_https_server_packet_t; - ') - - allow $1 pegasus_https_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_https_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pgpkeyserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pgpkeyserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pgpkeyserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pgpkeyserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pgpkeyserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pgpkeyserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pgpkeyserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pgpkeyserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pgpkeyserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pgpkeyserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pgpkeyserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pgpkeyserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pgpkeyserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pgpkeyserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pgpkeyserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pgpkeyserver_port'($*)) dnl - - gen_require(` - type pgpkeyserver_port_t; - ') - - allow $1 pgpkeyserver_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pgpkeyserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pgpkeyserver_port'($*)) dnl - - gen_require(` - type pgpkeyserver_port_t; - ') - - allow $1 pgpkeyserver_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pgpkeyserver_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pgpkeyserver port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pgpkeyserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pgpkeyserver_port'($*)) dnl - - gen_require(` - type pgpkeyserver_port_t; - ') - - allow $1 pgpkeyserver_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pgpkeyserver_port'($*)) dnl - ') - - - -######################################## -## -## Send pgpkeyserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pgpkeyserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pgpkeyserver_client_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_client_packet_t; - ') - - allow $1 pgpkeyserver_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pgpkeyserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pgpkeyserver_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pgpkeyserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pgpkeyserver_client_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_client_packet_t; - ') - - dontaudit $1 pgpkeyserver_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pgpkeyserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pgpkeyserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pgpkeyserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pgpkeyserver_client_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_client_packet_t; - ') - - allow $1 pgpkeyserver_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pgpkeyserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pgpkeyserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pgpkeyserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pgpkeyserver_client_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_client_packet_t; - ') - - dontaudit $1 pgpkeyserver_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pgpkeyserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pgpkeyserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pgpkeyserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pgpkeyserver_client_packets'($*)) dnl - - corenet_send_pgpkeyserver_client_packets($1) - corenet_receive_pgpkeyserver_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pgpkeyserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pgpkeyserver_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pgpkeyserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pgpkeyserver_client_packets'($*)) dnl - - corenet_dontaudit_send_pgpkeyserver_client_packets($1) - corenet_dontaudit_receive_pgpkeyserver_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pgpkeyserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pgpkeyserver_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pgpkeyserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pgpkeyserver_client_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_client_packet_t; - ') - - allow $1 pgpkeyserver_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pgpkeyserver_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pgpkeyserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pgpkeyserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pgpkeyserver_server_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_server_packet_t; - ') - - allow $1 pgpkeyserver_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pgpkeyserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pgpkeyserver_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pgpkeyserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pgpkeyserver_server_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_server_packet_t; - ') - - dontaudit $1 pgpkeyserver_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pgpkeyserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pgpkeyserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pgpkeyserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pgpkeyserver_server_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_server_packet_t; - ') - - allow $1 pgpkeyserver_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pgpkeyserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pgpkeyserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pgpkeyserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pgpkeyserver_server_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_server_packet_t; - ') - - dontaudit $1 pgpkeyserver_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pgpkeyserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pgpkeyserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pgpkeyserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pgpkeyserver_server_packets'($*)) dnl - - corenet_send_pgpkeyserver_server_packets($1) - corenet_receive_pgpkeyserver_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pgpkeyserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pgpkeyserver_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pgpkeyserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pgpkeyserver_server_packets'($*)) dnl - - corenet_dontaudit_send_pgpkeyserver_server_packets($1) - corenet_dontaudit_receive_pgpkeyserver_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pgpkeyserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pgpkeyserver_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pgpkeyserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pgpkeyserver_server_packets'($*)) dnl - - gen_require(` - type pgpkeyserver_server_packet_t; - ') - - allow $1 pgpkeyserver_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pgpkeyserver_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pingd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pingd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pingd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pingd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pingd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pingd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pingd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pingd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pingd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pingd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pingd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pingd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pingd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pingd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pingd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pingd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pingd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pingd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pingd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pingd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pingd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pingd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pingd_port'($*)) dnl - - gen_require(` - type pingd_port_t; - ') - - allow $1 pingd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pingd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pingd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pingd_port'($*)) dnl - - gen_require(` - type pingd_port_t; - ') - - allow $1 pingd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pingd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pingd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pingd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pingd_port'($*)) dnl - - gen_require(` - type pingd_port_t; - ') - - allow $1 pingd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pingd_port'($*)) dnl - ') - - - -######################################## -## -## Send pingd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pingd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pingd_client_packets'($*)) dnl - - gen_require(` - type pingd_client_packet_t; - ') - - allow $1 pingd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pingd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pingd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pingd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pingd_client_packets'($*)) dnl - - gen_require(` - type pingd_client_packet_t; - ') - - dontaudit $1 pingd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pingd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pingd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pingd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pingd_client_packets'($*)) dnl - - gen_require(` - type pingd_client_packet_t; - ') - - allow $1 pingd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pingd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pingd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pingd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pingd_client_packets'($*)) dnl - - gen_require(` - type pingd_client_packet_t; - ') - - dontaudit $1 pingd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pingd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pingd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pingd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pingd_client_packets'($*)) dnl - - corenet_send_pingd_client_packets($1) - corenet_receive_pingd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pingd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pingd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pingd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pingd_client_packets'($*)) dnl - - corenet_dontaudit_send_pingd_client_packets($1) - corenet_dontaudit_receive_pingd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pingd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pingd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pingd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pingd_client_packets'($*)) dnl - - gen_require(` - type pingd_client_packet_t; - ') - - allow $1 pingd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pingd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pingd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pingd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pingd_server_packets'($*)) dnl - - gen_require(` - type pingd_server_packet_t; - ') - - allow $1 pingd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pingd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pingd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pingd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pingd_server_packets'($*)) dnl - - gen_require(` - type pingd_server_packet_t; - ') - - dontaudit $1 pingd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pingd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pingd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pingd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pingd_server_packets'($*)) dnl - - gen_require(` - type pingd_server_packet_t; - ') - - allow $1 pingd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pingd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pingd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pingd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pingd_server_packets'($*)) dnl - - gen_require(` - type pingd_server_packet_t; - ') - - dontaudit $1 pingd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pingd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pingd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pingd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pingd_server_packets'($*)) dnl - - corenet_send_pingd_server_packets($1) - corenet_receive_pingd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pingd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pingd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pingd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pingd_server_packets'($*)) dnl - - corenet_dontaudit_send_pingd_server_packets($1) - corenet_dontaudit_receive_pingd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pingd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pingd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pingd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pingd_server_packets'($*)) dnl - - gen_require(` - type pingd_server_packet_t; - ') - - allow $1 pingd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pingd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pktcable_cops port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pktcable_cops_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pktcable_cops port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pktcable_cops_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pktcable_cops port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pktcable_cops_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pktcable_cops port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pktcable_cops_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pktcable_cops port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pktcable_cops_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pktcable_cops port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pktcable_cops_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pktcable_cops port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pktcable_cops_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pktcable_cops port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pktcable_cops_port'($*)) dnl - - gen_require(` - type pktcable_cops_port_t; - ') - - allow $1 pktcable_cops_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pktcable_cops port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pktcable_cops_port'($*)) dnl - - gen_require(` - type pktcable_cops_port_t; - ') - - allow $1 pktcable_cops_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pktcable_cops_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pktcable_cops port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pktcable_cops_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pktcable_cops_port'($*)) dnl - - gen_require(` - type pktcable_cops_port_t; - ') - - allow $1 pktcable_cops_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pktcable_cops_port'($*)) dnl - ') - - - -######################################## -## -## Send pktcable_cops_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pktcable_cops_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pktcable_cops_client_packets'($*)) dnl - - gen_require(` - type pktcable_cops_client_packet_t; - ') - - allow $1 pktcable_cops_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pktcable_cops_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pktcable_cops_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pktcable_cops_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pktcable_cops_client_packets'($*)) dnl - - gen_require(` - type pktcable_cops_client_packet_t; - ') - - dontaudit $1 pktcable_cops_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pktcable_cops_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pktcable_cops_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pktcable_cops_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pktcable_cops_client_packets'($*)) dnl - - gen_require(` - type pktcable_cops_client_packet_t; - ') - - allow $1 pktcable_cops_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pktcable_cops_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pktcable_cops_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pktcable_cops_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pktcable_cops_client_packets'($*)) dnl - - gen_require(` - type pktcable_cops_client_packet_t; - ') - - dontaudit $1 pktcable_cops_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pktcable_cops_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pktcable_cops_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pktcable_cops_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pktcable_cops_client_packets'($*)) dnl - - corenet_send_pktcable_cops_client_packets($1) - corenet_receive_pktcable_cops_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pktcable_cops_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pktcable_cops_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pktcable_cops_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pktcable_cops_client_packets'($*)) dnl - - corenet_dontaudit_send_pktcable_cops_client_packets($1) - corenet_dontaudit_receive_pktcable_cops_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pktcable_cops_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pktcable_cops_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pktcable_cops_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pktcable_cops_client_packets'($*)) dnl - - gen_require(` - type pktcable_cops_client_packet_t; - ') - - allow $1 pktcable_cops_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pktcable_cops_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pktcable_cops_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pktcable_cops_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pktcable_cops_server_packets'($*)) dnl - - gen_require(` - type pktcable_cops_server_packet_t; - ') - - allow $1 pktcable_cops_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pktcable_cops_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pktcable_cops_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pktcable_cops_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pktcable_cops_server_packets'($*)) dnl - - gen_require(` - type pktcable_cops_server_packet_t; - ') - - dontaudit $1 pktcable_cops_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pktcable_cops_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pktcable_cops_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pktcable_cops_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pktcable_cops_server_packets'($*)) dnl - - gen_require(` - type pktcable_cops_server_packet_t; - ') - - allow $1 pktcable_cops_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pktcable_cops_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pktcable_cops_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pktcable_cops_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pktcable_cops_server_packets'($*)) dnl - - gen_require(` - type pktcable_cops_server_packet_t; - ') - - dontaudit $1 pktcable_cops_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pktcable_cops_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pktcable_cops_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pktcable_cops_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pktcable_cops_server_packets'($*)) dnl - - corenet_send_pktcable_cops_server_packets($1) - corenet_receive_pktcable_cops_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pktcable_cops_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pktcable_cops_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pktcable_cops_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pktcable_cops_server_packets'($*)) dnl - - corenet_dontaudit_send_pktcable_cops_server_packets($1) - corenet_dontaudit_receive_pktcable_cops_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pktcable_cops_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pktcable_cops_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pktcable_cops_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pktcable_cops_server_packets'($*)) dnl - - gen_require(` - type pktcable_cops_server_packet_t; - ') - - allow $1 pktcable_cops_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pktcable_cops_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pop_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pop_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pop_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pop_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pop port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pop_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pop_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pop_port'($*)) dnl - - gen_require(` - type pop_port_t; - ') - - allow $1 pop_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pop_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pop port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pop_port'($*)) dnl - - gen_require(` - type pop_port_t; - ') - - allow $1 pop_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pop_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pop port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pop_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pop_port'($*)) dnl - - gen_require(` - type pop_port_t; - ') - - allow $1 pop_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pop_port'($*)) dnl - ') - - - -######################################## -## -## Send pop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pop_client_packets'($*)) dnl - - gen_require(` - type pop_client_packet_t; - ') - - allow $1 pop_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pop_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pop_client_packets'($*)) dnl - - gen_require(` - type pop_client_packet_t; - ') - - dontaudit $1 pop_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pop_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pop_client_packets'($*)) dnl - - gen_require(` - type pop_client_packet_t; - ') - - allow $1 pop_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pop_client_packets'($*)) dnl - - gen_require(` - type pop_client_packet_t; - ') - - dontaudit $1 pop_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pop_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pop_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pop_client_packets'($*)) dnl - - corenet_send_pop_client_packets($1) - corenet_receive_pop_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pop_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pop_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pop_client_packets'($*)) dnl - - corenet_dontaudit_send_pop_client_packets($1) - corenet_dontaudit_receive_pop_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pop_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pop_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pop_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pop_client_packets'($*)) dnl - - gen_require(` - type pop_client_packet_t; - ') - - allow $1 pop_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pop_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pop_server_packets'($*)) dnl - - gen_require(` - type pop_server_packet_t; - ') - - allow $1 pop_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pop_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pop_server_packets'($*)) dnl - - gen_require(` - type pop_server_packet_t; - ') - - dontaudit $1 pop_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pop_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pop_server_packets'($*)) dnl - - gen_require(` - type pop_server_packet_t; - ') - - allow $1 pop_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pop_server_packets'($*)) dnl - - gen_require(` - type pop_server_packet_t; - ') - - dontaudit $1 pop_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pop_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pop_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pop_server_packets'($*)) dnl - - corenet_send_pop_server_packets($1) - corenet_receive_pop_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pop_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pop_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pop_server_packets'($*)) dnl - - corenet_dontaudit_send_pop_server_packets($1) - corenet_dontaudit_receive_pop_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pop_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pop_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pop_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pop_server_packets'($*)) dnl - - gen_require(` - type pop_server_packet_t; - ') - - allow $1 pop_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pop_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the portmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_portmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_portmap_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the portmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_portmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_portmap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the portmap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_portmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_portmap_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the portmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_portmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_portmap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the portmap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_portmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_portmap_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the portmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_portmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_portmap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the portmap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_portmap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_portmap_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the portmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_portmap_port'($*)) dnl - - gen_require(` - type portmap_port_t; - ') - - allow $1 portmap_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_portmap_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the portmap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_portmap_port'($*)) dnl - - gen_require(` - type portmap_port_t; - ') - - allow $1 portmap_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_portmap_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the portmap port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_portmap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_portmap_port'($*)) dnl - - gen_require(` - type portmap_port_t; - ') - - allow $1 portmap_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_portmap_port'($*)) dnl - ') - - - -######################################## -## -## Send portmap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_portmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_portmap_client_packets'($*)) dnl - - gen_require(` - type portmap_client_packet_t; - ') - - allow $1 portmap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_portmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send portmap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_portmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_portmap_client_packets'($*)) dnl - - gen_require(` - type portmap_client_packet_t; - ') - - dontaudit $1 portmap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_portmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive portmap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_portmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_portmap_client_packets'($*)) dnl - - gen_require(` - type portmap_client_packet_t; - ') - - allow $1 portmap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_portmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive portmap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_portmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_portmap_client_packets'($*)) dnl - - gen_require(` - type portmap_client_packet_t; - ') - - dontaudit $1 portmap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_portmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive portmap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_portmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_portmap_client_packets'($*)) dnl - - corenet_send_portmap_client_packets($1) - corenet_receive_portmap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_portmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive portmap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_portmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_portmap_client_packets'($*)) dnl - - corenet_dontaudit_send_portmap_client_packets($1) - corenet_dontaudit_receive_portmap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_portmap_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to portmap_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_portmap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_portmap_client_packets'($*)) dnl - - gen_require(` - type portmap_client_packet_t; - ') - - allow $1 portmap_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_portmap_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send portmap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_portmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_portmap_server_packets'($*)) dnl - - gen_require(` - type portmap_server_packet_t; - ') - - allow $1 portmap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_portmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send portmap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_portmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_portmap_server_packets'($*)) dnl - - gen_require(` - type portmap_server_packet_t; - ') - - dontaudit $1 portmap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_portmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive portmap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_portmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_portmap_server_packets'($*)) dnl - - gen_require(` - type portmap_server_packet_t; - ') - - allow $1 portmap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_portmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive portmap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_portmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_portmap_server_packets'($*)) dnl - - gen_require(` - type portmap_server_packet_t; - ') - - dontaudit $1 portmap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_portmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive portmap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_portmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_portmap_server_packets'($*)) dnl - - corenet_send_portmap_server_packets($1) - corenet_receive_portmap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_portmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive portmap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_portmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_portmap_server_packets'($*)) dnl - - corenet_dontaudit_send_portmap_server_packets($1) - corenet_dontaudit_receive_portmap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_portmap_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to portmap_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_portmap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_portmap_server_packets'($*)) dnl - - gen_require(` - type portmap_server_packet_t; - ') - - allow $1 portmap_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_portmap_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the postfix_policyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postfix_policyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the postfix_policyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postfix_policyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the postfix_policyd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postfix_policyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the postfix_policyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postfix_policyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the postfix_policyd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postfix_policyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the postfix_policyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postfix_policyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the postfix_policyd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postfix_policyd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the postfix_policyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postfix_policyd_port'($*)) dnl - - gen_require(` - type postfix_policyd_port_t; - ') - - allow $1 postfix_policyd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the postfix_policyd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postfix_policyd_port'($*)) dnl - - gen_require(` - type postfix_policyd_port_t; - ') - - allow $1 postfix_policyd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postfix_policyd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the postfix_policyd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_postfix_policyd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postfix_policyd_port'($*)) dnl - - gen_require(` - type postfix_policyd_port_t; - ') - - allow $1 postfix_policyd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postfix_policyd_port'($*)) dnl - ') - - - -######################################## -## -## Send postfix_policyd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_postfix_policyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_postfix_policyd_client_packets'($*)) dnl - - gen_require(` - type postfix_policyd_client_packet_t; - ') - - allow $1 postfix_policyd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_postfix_policyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send postfix_policyd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_postfix_policyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postfix_policyd_client_packets'($*)) dnl - - gen_require(` - type postfix_policyd_client_packet_t; - ') - - dontaudit $1 postfix_policyd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postfix_policyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive postfix_policyd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_postfix_policyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_postfix_policyd_client_packets'($*)) dnl - - gen_require(` - type postfix_policyd_client_packet_t; - ') - - allow $1 postfix_policyd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_postfix_policyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive postfix_policyd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_postfix_policyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postfix_policyd_client_packets'($*)) dnl - - gen_require(` - type postfix_policyd_client_packet_t; - ') - - dontaudit $1 postfix_policyd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postfix_policyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive postfix_policyd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_postfix_policyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postfix_policyd_client_packets'($*)) dnl - - corenet_send_postfix_policyd_client_packets($1) - corenet_receive_postfix_policyd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postfix_policyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive postfix_policyd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_postfix_policyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postfix_policyd_client_packets'($*)) dnl - - corenet_dontaudit_send_postfix_policyd_client_packets($1) - corenet_dontaudit_receive_postfix_policyd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postfix_policyd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to postfix_policyd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_postfix_policyd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postfix_policyd_client_packets'($*)) dnl - - gen_require(` - type postfix_policyd_client_packet_t; - ') - - allow $1 postfix_policyd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_postfix_policyd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send postfix_policyd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_postfix_policyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_postfix_policyd_server_packets'($*)) dnl - - gen_require(` - type postfix_policyd_server_packet_t; - ') - - allow $1 postfix_policyd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_postfix_policyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send postfix_policyd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_postfix_policyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postfix_policyd_server_packets'($*)) dnl - - gen_require(` - type postfix_policyd_server_packet_t; - ') - - dontaudit $1 postfix_policyd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postfix_policyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive postfix_policyd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_postfix_policyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_postfix_policyd_server_packets'($*)) dnl - - gen_require(` - type postfix_policyd_server_packet_t; - ') - - allow $1 postfix_policyd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_postfix_policyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive postfix_policyd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_postfix_policyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postfix_policyd_server_packets'($*)) dnl - - gen_require(` - type postfix_policyd_server_packet_t; - ') - - dontaudit $1 postfix_policyd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postfix_policyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive postfix_policyd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_postfix_policyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postfix_policyd_server_packets'($*)) dnl - - corenet_send_postfix_policyd_server_packets($1) - corenet_receive_postfix_policyd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postfix_policyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive postfix_policyd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_postfix_policyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postfix_policyd_server_packets'($*)) dnl - - corenet_dontaudit_send_postfix_policyd_server_packets($1) - corenet_dontaudit_receive_postfix_policyd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postfix_policyd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to postfix_policyd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_postfix_policyd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postfix_policyd_server_packets'($*)) dnl - - gen_require(` - type postfix_policyd_server_packet_t; - ') - - allow $1 postfix_policyd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_postfix_policyd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the postgresql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postgresql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the postgresql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postgresql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the postgresql port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postgresql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the postgresql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postgresql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the postgresql port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postgresql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the postgresql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postgresql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the postgresql port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postgresql_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the postgresql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postgresql_port'($*)) dnl - - gen_require(` - type postgresql_port_t; - ') - - allow $1 postgresql_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the postgresql port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postgresql_port'($*)) dnl - - gen_require(` - type postgresql_port_t; - ') - - allow $1 postgresql_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postgresql_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the postgresql port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_postgresql_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postgresql_port'($*)) dnl - - gen_require(` - type postgresql_port_t; - ') - - allow $1 postgresql_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postgresql_port'($*)) dnl - ') - - - -######################################## -## -## Send postgresql_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_postgresql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_postgresql_client_packets'($*)) dnl - - gen_require(` - type postgresql_client_packet_t; - ') - - allow $1 postgresql_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_postgresql_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send postgresql_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_postgresql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgresql_client_packets'($*)) dnl - - gen_require(` - type postgresql_client_packet_t; - ') - - dontaudit $1 postgresql_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgresql_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive postgresql_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_postgresql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_postgresql_client_packets'($*)) dnl - - gen_require(` - type postgresql_client_packet_t; - ') - - allow $1 postgresql_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_postgresql_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive postgresql_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_postgresql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgresql_client_packets'($*)) dnl - - gen_require(` - type postgresql_client_packet_t; - ') - - dontaudit $1 postgresql_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgresql_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive postgresql_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_postgresql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgresql_client_packets'($*)) dnl - - corenet_send_postgresql_client_packets($1) - corenet_receive_postgresql_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgresql_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive postgresql_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_postgresql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgresql_client_packets'($*)) dnl - - corenet_dontaudit_send_postgresql_client_packets($1) - corenet_dontaudit_receive_postgresql_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgresql_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to postgresql_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_postgresql_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgresql_client_packets'($*)) dnl - - gen_require(` - type postgresql_client_packet_t; - ') - - allow $1 postgresql_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgresql_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send postgresql_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_postgresql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_postgresql_server_packets'($*)) dnl - - gen_require(` - type postgresql_server_packet_t; - ') - - allow $1 postgresql_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_postgresql_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send postgresql_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_postgresql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgresql_server_packets'($*)) dnl - - gen_require(` - type postgresql_server_packet_t; - ') - - dontaudit $1 postgresql_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgresql_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive postgresql_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_postgresql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_postgresql_server_packets'($*)) dnl - - gen_require(` - type postgresql_server_packet_t; - ') - - allow $1 postgresql_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_postgresql_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive postgresql_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_postgresql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgresql_server_packets'($*)) dnl - - gen_require(` - type postgresql_server_packet_t; - ') - - dontaudit $1 postgresql_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgresql_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive postgresql_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_postgresql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgresql_server_packets'($*)) dnl - - corenet_send_postgresql_server_packets($1) - corenet_receive_postgresql_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgresql_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive postgresql_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_postgresql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgresql_server_packets'($*)) dnl - - corenet_dontaudit_send_postgresql_server_packets($1) - corenet_dontaudit_receive_postgresql_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgresql_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to postgresql_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_postgresql_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgresql_server_packets'($*)) dnl - - gen_require(` - type postgresql_server_packet_t; - ') - - allow $1 postgresql_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgresql_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the postgrey port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postgrey_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the postgrey port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postgrey_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the postgrey port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postgrey_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the postgrey port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postgrey_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the postgrey port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postgrey_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the postgrey port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postgrey_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the postgrey port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postgrey_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the postgrey port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postgrey_port'($*)) dnl - - gen_require(` - type postgrey_port_t; - ') - - allow $1 postgrey_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the postgrey port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postgrey_port'($*)) dnl - - gen_require(` - type postgrey_port_t; - ') - - allow $1 postgrey_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postgrey_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the postgrey port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_postgrey_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postgrey_port'($*)) dnl - - gen_require(` - type postgrey_port_t; - ') - - allow $1 postgrey_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postgrey_port'($*)) dnl - ') - - - -######################################## -## -## Send postgrey_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_postgrey_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_postgrey_client_packets'($*)) dnl - - gen_require(` - type postgrey_client_packet_t; - ') - - allow $1 postgrey_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_postgrey_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send postgrey_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_postgrey_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgrey_client_packets'($*)) dnl - - gen_require(` - type postgrey_client_packet_t; - ') - - dontaudit $1 postgrey_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgrey_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive postgrey_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_postgrey_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_postgrey_client_packets'($*)) dnl - - gen_require(` - type postgrey_client_packet_t; - ') - - allow $1 postgrey_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_postgrey_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive postgrey_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_postgrey_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgrey_client_packets'($*)) dnl - - gen_require(` - type postgrey_client_packet_t; - ') - - dontaudit $1 postgrey_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgrey_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive postgrey_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_postgrey_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgrey_client_packets'($*)) dnl - - corenet_send_postgrey_client_packets($1) - corenet_receive_postgrey_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgrey_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive postgrey_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_postgrey_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgrey_client_packets'($*)) dnl - - corenet_dontaudit_send_postgrey_client_packets($1) - corenet_dontaudit_receive_postgrey_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgrey_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to postgrey_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_postgrey_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgrey_client_packets'($*)) dnl - - gen_require(` - type postgrey_client_packet_t; - ') - - allow $1 postgrey_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgrey_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send postgrey_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_postgrey_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_postgrey_server_packets'($*)) dnl - - gen_require(` - type postgrey_server_packet_t; - ') - - allow $1 postgrey_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_postgrey_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send postgrey_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_postgrey_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgrey_server_packets'($*)) dnl - - gen_require(` - type postgrey_server_packet_t; - ') - - dontaudit $1 postgrey_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgrey_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive postgrey_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_postgrey_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_postgrey_server_packets'($*)) dnl - - gen_require(` - type postgrey_server_packet_t; - ') - - allow $1 postgrey_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_postgrey_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive postgrey_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_postgrey_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgrey_server_packets'($*)) dnl - - gen_require(` - type postgrey_server_packet_t; - ') - - dontaudit $1 postgrey_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgrey_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive postgrey_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_postgrey_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgrey_server_packets'($*)) dnl - - corenet_send_postgrey_server_packets($1) - corenet_receive_postgrey_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgrey_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive postgrey_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_postgrey_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgrey_server_packets'($*)) dnl - - corenet_dontaudit_send_postgrey_server_packets($1) - corenet_dontaudit_receive_postgrey_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgrey_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to postgrey_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_postgrey_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgrey_server_packets'($*)) dnl - - gen_require(` - type postgrey_server_packet_t; - ') - - allow $1 postgrey_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgrey_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pptp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pptp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pptp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pptp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pptp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pptp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pptp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pptp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pptp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pptp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pptp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pptp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pptp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pptp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pptp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pptp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pptp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pptp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pptp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pptp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pptp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pptp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pptp_port'($*)) dnl - - gen_require(` - type pptp_port_t; - ') - - allow $1 pptp_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pptp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pptp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pptp_port'($*)) dnl - - gen_require(` - type pptp_port_t; - ') - - allow $1 pptp_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pptp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pptp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pptp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pptp_port'($*)) dnl - - gen_require(` - type pptp_port_t; - ') - - allow $1 pptp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pptp_port'($*)) dnl - ') - - - -######################################## -## -## Send pptp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pptp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pptp_client_packets'($*)) dnl - - gen_require(` - type pptp_client_packet_t; - ') - - allow $1 pptp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pptp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pptp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pptp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pptp_client_packets'($*)) dnl - - gen_require(` - type pptp_client_packet_t; - ') - - dontaudit $1 pptp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pptp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pptp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pptp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pptp_client_packets'($*)) dnl - - gen_require(` - type pptp_client_packet_t; - ') - - allow $1 pptp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pptp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pptp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pptp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pptp_client_packets'($*)) dnl - - gen_require(` - type pptp_client_packet_t; - ') - - dontaudit $1 pptp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pptp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pptp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pptp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pptp_client_packets'($*)) dnl - - corenet_send_pptp_client_packets($1) - corenet_receive_pptp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pptp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pptp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pptp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pptp_client_packets'($*)) dnl - - corenet_dontaudit_send_pptp_client_packets($1) - corenet_dontaudit_receive_pptp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pptp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pptp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pptp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pptp_client_packets'($*)) dnl - - gen_require(` - type pptp_client_packet_t; - ') - - allow $1 pptp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pptp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pptp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pptp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pptp_server_packets'($*)) dnl - - gen_require(` - type pptp_server_packet_t; - ') - - allow $1 pptp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pptp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pptp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pptp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pptp_server_packets'($*)) dnl - - gen_require(` - type pptp_server_packet_t; - ') - - dontaudit $1 pptp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pptp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pptp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pptp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pptp_server_packets'($*)) dnl - - gen_require(` - type pptp_server_packet_t; - ') - - allow $1 pptp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pptp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pptp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pptp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pptp_server_packets'($*)) dnl - - gen_require(` - type pptp_server_packet_t; - ') - - dontaudit $1 pptp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pptp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pptp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pptp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pptp_server_packets'($*)) dnl - - corenet_send_pptp_server_packets($1) - corenet_receive_pptp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pptp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pptp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pptp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pptp_server_packets'($*)) dnl - - corenet_dontaudit_send_pptp_server_packets($1) - corenet_dontaudit_receive_pptp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pptp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pptp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pptp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pptp_server_packets'($*)) dnl - - gen_require(` - type pptp_server_packet_t; - ') - - allow $1 pptp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pptp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the prelude port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_prelude_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_prelude_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the prelude port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_prelude_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_prelude_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the prelude port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_prelude_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_prelude_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the prelude port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_prelude_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_prelude_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the prelude port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_prelude_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_prelude_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the prelude port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_prelude_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_prelude_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the prelude port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_prelude_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_prelude_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the prelude port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_prelude_port'($*)) dnl - - gen_require(` - type prelude_port_t; - ') - - allow $1 prelude_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_prelude_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the prelude port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_prelude_port'($*)) dnl - - gen_require(` - type prelude_port_t; - ') - - allow $1 prelude_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_prelude_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the prelude port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_prelude_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_prelude_port'($*)) dnl - - gen_require(` - type prelude_port_t; - ') - - allow $1 prelude_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_prelude_port'($*)) dnl - ') - - - -######################################## -## -## Send prelude_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_prelude_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_prelude_client_packets'($*)) dnl - - gen_require(` - type prelude_client_packet_t; - ') - - allow $1 prelude_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_prelude_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send prelude_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_prelude_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prelude_client_packets'($*)) dnl - - gen_require(` - type prelude_client_packet_t; - ') - - dontaudit $1 prelude_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prelude_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive prelude_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_prelude_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_prelude_client_packets'($*)) dnl - - gen_require(` - type prelude_client_packet_t; - ') - - allow $1 prelude_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_prelude_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive prelude_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_prelude_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prelude_client_packets'($*)) dnl - - gen_require(` - type prelude_client_packet_t; - ') - - dontaudit $1 prelude_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prelude_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive prelude_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_prelude_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prelude_client_packets'($*)) dnl - - corenet_send_prelude_client_packets($1) - corenet_receive_prelude_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prelude_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive prelude_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_prelude_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prelude_client_packets'($*)) dnl - - corenet_dontaudit_send_prelude_client_packets($1) - corenet_dontaudit_receive_prelude_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prelude_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to prelude_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_prelude_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prelude_client_packets'($*)) dnl - - gen_require(` - type prelude_client_packet_t; - ') - - allow $1 prelude_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_prelude_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send prelude_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_prelude_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_prelude_server_packets'($*)) dnl - - gen_require(` - type prelude_server_packet_t; - ') - - allow $1 prelude_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_prelude_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send prelude_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_prelude_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prelude_server_packets'($*)) dnl - - gen_require(` - type prelude_server_packet_t; - ') - - dontaudit $1 prelude_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prelude_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive prelude_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_prelude_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_prelude_server_packets'($*)) dnl - - gen_require(` - type prelude_server_packet_t; - ') - - allow $1 prelude_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_prelude_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive prelude_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_prelude_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prelude_server_packets'($*)) dnl - - gen_require(` - type prelude_server_packet_t; - ') - - dontaudit $1 prelude_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prelude_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive prelude_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_prelude_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prelude_server_packets'($*)) dnl - - corenet_send_prelude_server_packets($1) - corenet_receive_prelude_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prelude_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive prelude_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_prelude_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prelude_server_packets'($*)) dnl - - corenet_dontaudit_send_prelude_server_packets($1) - corenet_dontaudit_receive_prelude_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prelude_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to prelude_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_prelude_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prelude_server_packets'($*)) dnl - - gen_require(` - type prelude_server_packet_t; - ') - - allow $1 prelude_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_prelude_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the presence port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_presence_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_presence_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the presence port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_presence_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_presence_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the presence port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_presence_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_presence_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the presence port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_presence_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_presence_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the presence port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_presence_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_presence_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the presence port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_presence_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_presence_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the presence port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_presence_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_presence_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the presence port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_presence_port'($*)) dnl - - gen_require(` - type presence_port_t; - ') - - allow $1 presence_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_presence_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the presence port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_presence_port'($*)) dnl - - gen_require(` - type presence_port_t; - ') - - allow $1 presence_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_presence_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the presence port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_presence_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_presence_port'($*)) dnl - - gen_require(` - type presence_port_t; - ') - - allow $1 presence_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_presence_port'($*)) dnl - ') - - - -######################################## -## -## Send presence_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_presence_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_presence_client_packets'($*)) dnl - - gen_require(` - type presence_client_packet_t; - ') - - allow $1 presence_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_presence_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send presence_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_presence_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_presence_client_packets'($*)) dnl - - gen_require(` - type presence_client_packet_t; - ') - - dontaudit $1 presence_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_presence_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive presence_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_presence_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_presence_client_packets'($*)) dnl - - gen_require(` - type presence_client_packet_t; - ') - - allow $1 presence_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_presence_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive presence_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_presence_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_presence_client_packets'($*)) dnl - - gen_require(` - type presence_client_packet_t; - ') - - dontaudit $1 presence_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_presence_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive presence_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_presence_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_presence_client_packets'($*)) dnl - - corenet_send_presence_client_packets($1) - corenet_receive_presence_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_presence_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive presence_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_presence_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_presence_client_packets'($*)) dnl - - corenet_dontaudit_send_presence_client_packets($1) - corenet_dontaudit_receive_presence_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_presence_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to presence_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_presence_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_presence_client_packets'($*)) dnl - - gen_require(` - type presence_client_packet_t; - ') - - allow $1 presence_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_presence_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send presence_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_presence_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_presence_server_packets'($*)) dnl - - gen_require(` - type presence_server_packet_t; - ') - - allow $1 presence_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_presence_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send presence_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_presence_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_presence_server_packets'($*)) dnl - - gen_require(` - type presence_server_packet_t; - ') - - dontaudit $1 presence_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_presence_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive presence_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_presence_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_presence_server_packets'($*)) dnl - - gen_require(` - type presence_server_packet_t; - ') - - allow $1 presence_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_presence_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive presence_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_presence_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_presence_server_packets'($*)) dnl - - gen_require(` - type presence_server_packet_t; - ') - - dontaudit $1 presence_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_presence_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive presence_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_presence_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_presence_server_packets'($*)) dnl - - corenet_send_presence_server_packets($1) - corenet_receive_presence_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_presence_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive presence_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_presence_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_presence_server_packets'($*)) dnl - - corenet_dontaudit_send_presence_server_packets($1) - corenet_dontaudit_receive_presence_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_presence_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to presence_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_presence_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_presence_server_packets'($*)) dnl - - gen_require(` - type presence_server_packet_t; - ') - - allow $1 presence_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_presence_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the printer port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_printer_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_printer_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the printer port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_printer_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_printer_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the printer port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_printer_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_printer_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the printer port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_printer_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_printer_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the printer port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_printer_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_printer_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the printer port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_printer_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_printer_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the printer port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_printer_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_printer_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the printer port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_printer_port'($*)) dnl - - gen_require(` - type printer_port_t; - ') - - allow $1 printer_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_printer_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the printer port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_printer_port'($*)) dnl - - gen_require(` - type printer_port_t; - ') - - allow $1 printer_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_printer_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the printer port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_printer_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_printer_port'($*)) dnl - - gen_require(` - type printer_port_t; - ') - - allow $1 printer_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_printer_port'($*)) dnl - ') - - - -######################################## -## -## Send printer_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_printer_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_printer_client_packets'($*)) dnl - - gen_require(` - type printer_client_packet_t; - ') - - allow $1 printer_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_printer_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send printer_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_printer_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_printer_client_packets'($*)) dnl - - gen_require(` - type printer_client_packet_t; - ') - - dontaudit $1 printer_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_printer_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive printer_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_printer_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_printer_client_packets'($*)) dnl - - gen_require(` - type printer_client_packet_t; - ') - - allow $1 printer_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_printer_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive printer_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_printer_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_printer_client_packets'($*)) dnl - - gen_require(` - type printer_client_packet_t; - ') - - dontaudit $1 printer_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_printer_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive printer_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_printer_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_printer_client_packets'($*)) dnl - - corenet_send_printer_client_packets($1) - corenet_receive_printer_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_printer_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive printer_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_printer_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_printer_client_packets'($*)) dnl - - corenet_dontaudit_send_printer_client_packets($1) - corenet_dontaudit_receive_printer_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_printer_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to printer_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_printer_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_printer_client_packets'($*)) dnl - - gen_require(` - type printer_client_packet_t; - ') - - allow $1 printer_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_printer_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send printer_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_printer_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_printer_server_packets'($*)) dnl - - gen_require(` - type printer_server_packet_t; - ') - - allow $1 printer_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_printer_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send printer_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_printer_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_printer_server_packets'($*)) dnl - - gen_require(` - type printer_server_packet_t; - ') - - dontaudit $1 printer_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_printer_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive printer_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_printer_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_printer_server_packets'($*)) dnl - - gen_require(` - type printer_server_packet_t; - ') - - allow $1 printer_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_printer_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive printer_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_printer_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_printer_server_packets'($*)) dnl - - gen_require(` - type printer_server_packet_t; - ') - - dontaudit $1 printer_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_printer_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive printer_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_printer_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_printer_server_packets'($*)) dnl - - corenet_send_printer_server_packets($1) - corenet_receive_printer_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_printer_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive printer_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_printer_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_printer_server_packets'($*)) dnl - - corenet_dontaudit_send_printer_server_packets($1) - corenet_dontaudit_receive_printer_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_printer_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to printer_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_printer_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_printer_server_packets'($*)) dnl - - gen_require(` - type printer_server_packet_t; - ') - - allow $1 printer_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_printer_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ptal port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ptal_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ptal_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ptal port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ptal_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ptal_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ptal port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ptal_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ptal_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ptal port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ptal_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ptal_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ptal port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ptal_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ptal_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ptal port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ptal_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ptal_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ptal port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ptal_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ptal_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ptal port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ptal_port'($*)) dnl - - gen_require(` - type ptal_port_t; - ') - - allow $1 ptal_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ptal_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ptal port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ptal_port'($*)) dnl - - gen_require(` - type ptal_port_t; - ') - - allow $1 ptal_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ptal_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ptal port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ptal_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ptal_port'($*)) dnl - - gen_require(` - type ptal_port_t; - ') - - allow $1 ptal_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ptal_port'($*)) dnl - ') - - - -######################################## -## -## Send ptal_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ptal_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ptal_client_packets'($*)) dnl - - gen_require(` - type ptal_client_packet_t; - ') - - allow $1 ptal_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ptal_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ptal_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ptal_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ptal_client_packets'($*)) dnl - - gen_require(` - type ptal_client_packet_t; - ') - - dontaudit $1 ptal_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ptal_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ptal_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ptal_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ptal_client_packets'($*)) dnl - - gen_require(` - type ptal_client_packet_t; - ') - - allow $1 ptal_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ptal_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ptal_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ptal_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ptal_client_packets'($*)) dnl - - gen_require(` - type ptal_client_packet_t; - ') - - dontaudit $1 ptal_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ptal_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ptal_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ptal_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ptal_client_packets'($*)) dnl - - corenet_send_ptal_client_packets($1) - corenet_receive_ptal_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ptal_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ptal_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ptal_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ptal_client_packets'($*)) dnl - - corenet_dontaudit_send_ptal_client_packets($1) - corenet_dontaudit_receive_ptal_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ptal_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ptal_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ptal_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ptal_client_packets'($*)) dnl - - gen_require(` - type ptal_client_packet_t; - ') - - allow $1 ptal_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ptal_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ptal_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ptal_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ptal_server_packets'($*)) dnl - - gen_require(` - type ptal_server_packet_t; - ') - - allow $1 ptal_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ptal_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ptal_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ptal_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ptal_server_packets'($*)) dnl - - gen_require(` - type ptal_server_packet_t; - ') - - dontaudit $1 ptal_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ptal_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ptal_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ptal_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ptal_server_packets'($*)) dnl - - gen_require(` - type ptal_server_packet_t; - ') - - allow $1 ptal_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ptal_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ptal_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ptal_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ptal_server_packets'($*)) dnl - - gen_require(` - type ptal_server_packet_t; - ') - - dontaudit $1 ptal_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ptal_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ptal_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ptal_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ptal_server_packets'($*)) dnl - - corenet_send_ptal_server_packets($1) - corenet_receive_ptal_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ptal_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ptal_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ptal_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ptal_server_packets'($*)) dnl - - corenet_dontaudit_send_ptal_server_packets($1) - corenet_dontaudit_receive_ptal_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ptal_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ptal_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ptal_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ptal_server_packets'($*)) dnl - - gen_require(` - type ptal_server_packet_t; - ') - - allow $1 ptal_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ptal_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pulseaudio port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pulseaudio_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pulseaudio port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pulseaudio_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pulseaudio port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pulseaudio_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pulseaudio port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pulseaudio_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pulseaudio port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pulseaudio_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pulseaudio port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pulseaudio_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pulseaudio port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pulseaudio_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pulseaudio port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pulseaudio_port'($*)) dnl - - gen_require(` - type pulseaudio_port_t; - ') - - allow $1 pulseaudio_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pulseaudio port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pulseaudio_port'($*)) dnl - - gen_require(` - type pulseaudio_port_t; - ') - - allow $1 pulseaudio_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pulseaudio_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pulseaudio port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pulseaudio_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pulseaudio_port'($*)) dnl - - gen_require(` - type pulseaudio_port_t; - ') - - allow $1 pulseaudio_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pulseaudio_port'($*)) dnl - ') - - - -######################################## -## -## Send pulseaudio_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pulseaudio_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pulseaudio_client_packets'($*)) dnl - - gen_require(` - type pulseaudio_client_packet_t; - ') - - allow $1 pulseaudio_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pulseaudio_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pulseaudio_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pulseaudio_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulseaudio_client_packets'($*)) dnl - - gen_require(` - type pulseaudio_client_packet_t; - ') - - dontaudit $1 pulseaudio_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulseaudio_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pulseaudio_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pulseaudio_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pulseaudio_client_packets'($*)) dnl - - gen_require(` - type pulseaudio_client_packet_t; - ') - - allow $1 pulseaudio_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pulseaudio_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pulseaudio_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pulseaudio_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulseaudio_client_packets'($*)) dnl - - gen_require(` - type pulseaudio_client_packet_t; - ') - - dontaudit $1 pulseaudio_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulseaudio_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pulseaudio_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pulseaudio_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulseaudio_client_packets'($*)) dnl - - corenet_send_pulseaudio_client_packets($1) - corenet_receive_pulseaudio_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulseaudio_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pulseaudio_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pulseaudio_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulseaudio_client_packets'($*)) dnl - - corenet_dontaudit_send_pulseaudio_client_packets($1) - corenet_dontaudit_receive_pulseaudio_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulseaudio_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pulseaudio_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pulseaudio_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulseaudio_client_packets'($*)) dnl - - gen_require(` - type pulseaudio_client_packet_t; - ') - - allow $1 pulseaudio_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulseaudio_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pulseaudio_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pulseaudio_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pulseaudio_server_packets'($*)) dnl - - gen_require(` - type pulseaudio_server_packet_t; - ') - - allow $1 pulseaudio_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pulseaudio_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pulseaudio_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pulseaudio_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulseaudio_server_packets'($*)) dnl - - gen_require(` - type pulseaudio_server_packet_t; - ') - - dontaudit $1 pulseaudio_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulseaudio_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pulseaudio_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pulseaudio_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pulseaudio_server_packets'($*)) dnl - - gen_require(` - type pulseaudio_server_packet_t; - ') - - allow $1 pulseaudio_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pulseaudio_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pulseaudio_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pulseaudio_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulseaudio_server_packets'($*)) dnl - - gen_require(` - type pulseaudio_server_packet_t; - ') - - dontaudit $1 pulseaudio_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulseaudio_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pulseaudio_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pulseaudio_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulseaudio_server_packets'($*)) dnl - - corenet_send_pulseaudio_server_packets($1) - corenet_receive_pulseaudio_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulseaudio_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pulseaudio_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pulseaudio_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulseaudio_server_packets'($*)) dnl - - corenet_dontaudit_send_pulseaudio_server_packets($1) - corenet_dontaudit_receive_pulseaudio_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulseaudio_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pulseaudio_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pulseaudio_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulseaudio_server_packets'($*)) dnl - - gen_require(` - type pulseaudio_server_packet_t; - ') - - allow $1 pulseaudio_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulseaudio_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the puppet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_puppet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_puppet_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the puppet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_puppet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_puppet_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the puppet port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_puppet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_puppet_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the puppet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_puppet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_puppet_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the puppet port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_puppet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_puppet_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the puppet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_puppet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_puppet_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the puppet port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_puppet_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_puppet_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the puppet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_puppet_port'($*)) dnl - - gen_require(` - type puppet_port_t; - ') - - allow $1 puppet_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_puppet_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the puppet port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_puppet_port'($*)) dnl - - gen_require(` - type puppet_port_t; - ') - - allow $1 puppet_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_puppet_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the puppet port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_puppet_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_puppet_port'($*)) dnl - - gen_require(` - type puppet_port_t; - ') - - allow $1 puppet_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_puppet_port'($*)) dnl - ') - - - -######################################## -## -## Send puppet_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_puppet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_puppet_client_packets'($*)) dnl - - gen_require(` - type puppet_client_packet_t; - ') - - allow $1 puppet_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_puppet_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send puppet_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_puppet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_puppet_client_packets'($*)) dnl - - gen_require(` - type puppet_client_packet_t; - ') - - dontaudit $1 puppet_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_puppet_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive puppet_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_puppet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_puppet_client_packets'($*)) dnl - - gen_require(` - type puppet_client_packet_t; - ') - - allow $1 puppet_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_puppet_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive puppet_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_puppet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_puppet_client_packets'($*)) dnl - - gen_require(` - type puppet_client_packet_t; - ') - - dontaudit $1 puppet_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_puppet_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive puppet_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_puppet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_puppet_client_packets'($*)) dnl - - corenet_send_puppet_client_packets($1) - corenet_receive_puppet_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_puppet_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive puppet_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_puppet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_puppet_client_packets'($*)) dnl - - corenet_dontaudit_send_puppet_client_packets($1) - corenet_dontaudit_receive_puppet_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_puppet_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to puppet_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_puppet_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_puppet_client_packets'($*)) dnl - - gen_require(` - type puppet_client_packet_t; - ') - - allow $1 puppet_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_puppet_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send puppet_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_puppet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_puppet_server_packets'($*)) dnl - - gen_require(` - type puppet_server_packet_t; - ') - - allow $1 puppet_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_puppet_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send puppet_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_puppet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_puppet_server_packets'($*)) dnl - - gen_require(` - type puppet_server_packet_t; - ') - - dontaudit $1 puppet_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_puppet_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive puppet_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_puppet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_puppet_server_packets'($*)) dnl - - gen_require(` - type puppet_server_packet_t; - ') - - allow $1 puppet_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_puppet_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive puppet_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_puppet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_puppet_server_packets'($*)) dnl - - gen_require(` - type puppet_server_packet_t; - ') - - dontaudit $1 puppet_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_puppet_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive puppet_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_puppet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_puppet_server_packets'($*)) dnl - - corenet_send_puppet_server_packets($1) - corenet_receive_puppet_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_puppet_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive puppet_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_puppet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_puppet_server_packets'($*)) dnl - - corenet_dontaudit_send_puppet_server_packets($1) - corenet_dontaudit_receive_puppet_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_puppet_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to puppet_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_puppet_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_puppet_server_packets'($*)) dnl - - gen_require(` - type puppet_server_packet_t; - ') - - allow $1 puppet_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_puppet_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the puppetclient port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_puppetclient_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the puppetclient port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_puppetclient_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the puppetclient port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_puppetclient_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the puppetclient port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_puppetclient_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the puppetclient port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_puppetclient_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the puppetclient port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_puppetclient_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the puppetclient port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_puppetclient_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the puppetclient port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_puppetclient_port'($*)) dnl - - gen_require(` - type puppetclient_port_t; - ') - - allow $1 puppetclient_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the puppetclient port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_puppetclient_port'($*)) dnl - - gen_require(` - type puppetclient_port_t; - ') - - allow $1 puppetclient_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_puppetclient_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the puppetclient port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_puppetclient_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_puppetclient_port'($*)) dnl - - gen_require(` - type puppetclient_port_t; - ') - - allow $1 puppetclient_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_puppetclient_port'($*)) dnl - ') - - - -######################################## -## -## Send puppetclient_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_puppetclient_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_puppetclient_client_packets'($*)) dnl - - gen_require(` - type puppetclient_client_packet_t; - ') - - allow $1 puppetclient_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_puppetclient_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send puppetclient_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_puppetclient_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_puppetclient_client_packets'($*)) dnl - - gen_require(` - type puppetclient_client_packet_t; - ') - - dontaudit $1 puppetclient_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_puppetclient_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive puppetclient_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_puppetclient_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_puppetclient_client_packets'($*)) dnl - - gen_require(` - type puppetclient_client_packet_t; - ') - - allow $1 puppetclient_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_puppetclient_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive puppetclient_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_puppetclient_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_puppetclient_client_packets'($*)) dnl - - gen_require(` - type puppetclient_client_packet_t; - ') - - dontaudit $1 puppetclient_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_puppetclient_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive puppetclient_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_puppetclient_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_puppetclient_client_packets'($*)) dnl - - corenet_send_puppetclient_client_packets($1) - corenet_receive_puppetclient_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_puppetclient_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive puppetclient_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_puppetclient_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_puppetclient_client_packets'($*)) dnl - - corenet_dontaudit_send_puppetclient_client_packets($1) - corenet_dontaudit_receive_puppetclient_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_puppetclient_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to puppetclient_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_puppetclient_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_puppetclient_client_packets'($*)) dnl - - gen_require(` - type puppetclient_client_packet_t; - ') - - allow $1 puppetclient_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_puppetclient_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send puppetclient_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_puppetclient_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_puppetclient_server_packets'($*)) dnl - - gen_require(` - type puppetclient_server_packet_t; - ') - - allow $1 puppetclient_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_puppetclient_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send puppetclient_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_puppetclient_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_puppetclient_server_packets'($*)) dnl - - gen_require(` - type puppetclient_server_packet_t; - ') - - dontaudit $1 puppetclient_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_puppetclient_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive puppetclient_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_puppetclient_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_puppetclient_server_packets'($*)) dnl - - gen_require(` - type puppetclient_server_packet_t; - ') - - allow $1 puppetclient_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_puppetclient_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive puppetclient_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_puppetclient_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_puppetclient_server_packets'($*)) dnl - - gen_require(` - type puppetclient_server_packet_t; - ') - - dontaudit $1 puppetclient_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_puppetclient_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive puppetclient_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_puppetclient_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_puppetclient_server_packets'($*)) dnl - - corenet_send_puppetclient_server_packets($1) - corenet_receive_puppetclient_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_puppetclient_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive puppetclient_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_puppetclient_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_puppetclient_server_packets'($*)) dnl - - corenet_dontaudit_send_puppetclient_server_packets($1) - corenet_dontaudit_receive_puppetclient_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_puppetclient_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to puppetclient_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_puppetclient_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_puppetclient_server_packets'($*)) dnl - - gen_require(` - type puppetclient_server_packet_t; - ') - - allow $1 puppetclient_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_puppetclient_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pxe port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pxe_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pxe_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pxe port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pxe_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pxe_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pxe port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pxe_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pxe_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pxe port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pxe_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pxe_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pxe port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pxe_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pxe_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pxe port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pxe_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pxe_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pxe port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pxe_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pxe_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pxe port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pxe_port'($*)) dnl - - gen_require(` - type pxe_port_t; - ') - - allow $1 pxe_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pxe_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pxe port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pxe_port'($*)) dnl - - gen_require(` - type pxe_port_t; - ') - - allow $1 pxe_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pxe_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pxe port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pxe_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pxe_port'($*)) dnl - - gen_require(` - type pxe_port_t; - ') - - allow $1 pxe_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pxe_port'($*)) dnl - ') - - - -######################################## -## -## Send pxe_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pxe_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pxe_client_packets'($*)) dnl - - gen_require(` - type pxe_client_packet_t; - ') - - allow $1 pxe_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pxe_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pxe_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pxe_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pxe_client_packets'($*)) dnl - - gen_require(` - type pxe_client_packet_t; - ') - - dontaudit $1 pxe_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pxe_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pxe_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pxe_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pxe_client_packets'($*)) dnl - - gen_require(` - type pxe_client_packet_t; - ') - - allow $1 pxe_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pxe_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pxe_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pxe_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pxe_client_packets'($*)) dnl - - gen_require(` - type pxe_client_packet_t; - ') - - dontaudit $1 pxe_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pxe_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pxe_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pxe_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pxe_client_packets'($*)) dnl - - corenet_send_pxe_client_packets($1) - corenet_receive_pxe_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pxe_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pxe_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pxe_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pxe_client_packets'($*)) dnl - - corenet_dontaudit_send_pxe_client_packets($1) - corenet_dontaudit_receive_pxe_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pxe_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pxe_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pxe_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pxe_client_packets'($*)) dnl - - gen_require(` - type pxe_client_packet_t; - ') - - allow $1 pxe_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pxe_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pxe_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pxe_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pxe_server_packets'($*)) dnl - - gen_require(` - type pxe_server_packet_t; - ') - - allow $1 pxe_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pxe_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pxe_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pxe_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pxe_server_packets'($*)) dnl - - gen_require(` - type pxe_server_packet_t; - ') - - dontaudit $1 pxe_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pxe_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pxe_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pxe_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pxe_server_packets'($*)) dnl - - gen_require(` - type pxe_server_packet_t; - ') - - allow $1 pxe_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pxe_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pxe_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pxe_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pxe_server_packets'($*)) dnl - - gen_require(` - type pxe_server_packet_t; - ') - - dontaudit $1 pxe_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pxe_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pxe_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pxe_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pxe_server_packets'($*)) dnl - - corenet_send_pxe_server_packets($1) - corenet_receive_pxe_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pxe_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pxe_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pxe_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pxe_server_packets'($*)) dnl - - corenet_dontaudit_send_pxe_server_packets($1) - corenet_dontaudit_receive_pxe_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pxe_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pxe_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pxe_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pxe_server_packets'($*)) dnl - - gen_require(` - type pxe_server_packet_t; - ') - - allow $1 pxe_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pxe_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the pyzor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pyzor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the pyzor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pyzor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the pyzor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pyzor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the pyzor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pyzor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the pyzor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pyzor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the pyzor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pyzor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the pyzor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pyzor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the pyzor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pyzor_port'($*)) dnl - - gen_require(` - type pyzor_port_t; - ') - - allow $1 pyzor_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the pyzor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pyzor_port'($*)) dnl - - gen_require(` - type pyzor_port_t; - ') - - allow $1 pyzor_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pyzor_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the pyzor port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_pyzor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pyzor_port'($*)) dnl - - gen_require(` - type pyzor_port_t; - ') - - allow $1 pyzor_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pyzor_port'($*)) dnl - ') - - - -######################################## -## -## Send pyzor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pyzor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pyzor_client_packets'($*)) dnl - - gen_require(` - type pyzor_client_packet_t; - ') - - allow $1 pyzor_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pyzor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pyzor_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pyzor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pyzor_client_packets'($*)) dnl - - gen_require(` - type pyzor_client_packet_t; - ') - - dontaudit $1 pyzor_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pyzor_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive pyzor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pyzor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pyzor_client_packets'($*)) dnl - - gen_require(` - type pyzor_client_packet_t; - ') - - allow $1 pyzor_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pyzor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pyzor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pyzor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pyzor_client_packets'($*)) dnl - - gen_require(` - type pyzor_client_packet_t; - ') - - dontaudit $1 pyzor_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pyzor_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pyzor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pyzor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pyzor_client_packets'($*)) dnl - - corenet_send_pyzor_client_packets($1) - corenet_receive_pyzor_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pyzor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pyzor_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pyzor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pyzor_client_packets'($*)) dnl - - corenet_dontaudit_send_pyzor_client_packets($1) - corenet_dontaudit_receive_pyzor_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pyzor_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pyzor_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pyzor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pyzor_client_packets'($*)) dnl - - gen_require(` - type pyzor_client_packet_t; - ') - - allow $1 pyzor_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pyzor_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send pyzor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_pyzor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_pyzor_server_packets'($*)) dnl - - gen_require(` - type pyzor_server_packet_t; - ') - - allow $1 pyzor_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_pyzor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send pyzor_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_pyzor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pyzor_server_packets'($*)) dnl - - gen_require(` - type pyzor_server_packet_t; - ') - - dontaudit $1 pyzor_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pyzor_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive pyzor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_pyzor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_pyzor_server_packets'($*)) dnl - - gen_require(` - type pyzor_server_packet_t; - ') - - allow $1 pyzor_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_pyzor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive pyzor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_pyzor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pyzor_server_packets'($*)) dnl - - gen_require(` - type pyzor_server_packet_t; - ') - - dontaudit $1 pyzor_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pyzor_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive pyzor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_pyzor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pyzor_server_packets'($*)) dnl - - corenet_send_pyzor_server_packets($1) - corenet_receive_pyzor_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pyzor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive pyzor_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_pyzor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pyzor_server_packets'($*)) dnl - - corenet_dontaudit_send_pyzor_server_packets($1) - corenet_dontaudit_receive_pyzor_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pyzor_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to pyzor_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_pyzor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pyzor_server_packets'($*)) dnl - - gen_require(` - type pyzor_server_packet_t; - ') - - allow $1 pyzor_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_pyzor_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the radacct port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radacct_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radacct_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the radacct port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radacct_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_radacct_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the radacct port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radacct_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radacct_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the radacct port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radacct_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radacct_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the radacct port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radacct_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radacct_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the radacct port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radacct_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radacct_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the radacct port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radacct_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radacct_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the radacct port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radacct_port'($*)) dnl - - gen_require(` - type radacct_port_t; - ') - - allow $1 radacct_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radacct_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the radacct port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radacct_port'($*)) dnl - - gen_require(` - type radacct_port_t; - ') - - allow $1 radacct_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radacct_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the radacct port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_radacct_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radacct_port'($*)) dnl - - gen_require(` - type radacct_port_t; - ') - - allow $1 radacct_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radacct_port'($*)) dnl - ') - - - -######################################## -## -## Send radacct_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_radacct_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_radacct_client_packets'($*)) dnl - - gen_require(` - type radacct_client_packet_t; - ') - - allow $1 radacct_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_radacct_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send radacct_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_radacct_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radacct_client_packets'($*)) dnl - - gen_require(` - type radacct_client_packet_t; - ') - - dontaudit $1 radacct_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radacct_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive radacct_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_radacct_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_radacct_client_packets'($*)) dnl - - gen_require(` - type radacct_client_packet_t; - ') - - allow $1 radacct_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_radacct_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive radacct_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_radacct_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radacct_client_packets'($*)) dnl - - gen_require(` - type radacct_client_packet_t; - ') - - dontaudit $1 radacct_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radacct_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive radacct_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_radacct_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radacct_client_packets'($*)) dnl - - corenet_send_radacct_client_packets($1) - corenet_receive_radacct_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radacct_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive radacct_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_radacct_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radacct_client_packets'($*)) dnl - - corenet_dontaudit_send_radacct_client_packets($1) - corenet_dontaudit_receive_radacct_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radacct_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to radacct_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_radacct_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radacct_client_packets'($*)) dnl - - gen_require(` - type radacct_client_packet_t; - ') - - allow $1 radacct_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_radacct_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send radacct_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_radacct_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_radacct_server_packets'($*)) dnl - - gen_require(` - type radacct_server_packet_t; - ') - - allow $1 radacct_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_radacct_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send radacct_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_radacct_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radacct_server_packets'($*)) dnl - - gen_require(` - type radacct_server_packet_t; - ') - - dontaudit $1 radacct_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radacct_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive radacct_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_radacct_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_radacct_server_packets'($*)) dnl - - gen_require(` - type radacct_server_packet_t; - ') - - allow $1 radacct_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_radacct_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive radacct_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_radacct_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radacct_server_packets'($*)) dnl - - gen_require(` - type radacct_server_packet_t; - ') - - dontaudit $1 radacct_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radacct_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive radacct_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_radacct_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radacct_server_packets'($*)) dnl - - corenet_send_radacct_server_packets($1) - corenet_receive_radacct_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radacct_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive radacct_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_radacct_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radacct_server_packets'($*)) dnl - - corenet_dontaudit_send_radacct_server_packets($1) - corenet_dontaudit_receive_radacct_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radacct_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to radacct_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_radacct_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radacct_server_packets'($*)) dnl - - gen_require(` - type radacct_server_packet_t; - ') - - allow $1 radacct_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_radacct_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the radius port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radius_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radius_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the radius port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radius_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_radius_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the radius port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radius_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radius_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the radius port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radius_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radius_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the radius port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radius_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radius_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the radius port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radius_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radius_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the radius port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radius_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radius_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the radius port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radius_port'($*)) dnl - - gen_require(` - type radius_port_t; - ') - - allow $1 radius_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radius_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the radius port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radius_port'($*)) dnl - - gen_require(` - type radius_port_t; - ') - - allow $1 radius_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radius_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the radius port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_radius_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radius_port'($*)) dnl - - gen_require(` - type radius_port_t; - ') - - allow $1 radius_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radius_port'($*)) dnl - ') - - - -######################################## -## -## Send radius_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_radius_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_radius_client_packets'($*)) dnl - - gen_require(` - type radius_client_packet_t; - ') - - allow $1 radius_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_radius_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send radius_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_radius_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radius_client_packets'($*)) dnl - - gen_require(` - type radius_client_packet_t; - ') - - dontaudit $1 radius_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radius_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive radius_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_radius_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_radius_client_packets'($*)) dnl - - gen_require(` - type radius_client_packet_t; - ') - - allow $1 radius_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_radius_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive radius_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_radius_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radius_client_packets'($*)) dnl - - gen_require(` - type radius_client_packet_t; - ') - - dontaudit $1 radius_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radius_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive radius_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_radius_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radius_client_packets'($*)) dnl - - corenet_send_radius_client_packets($1) - corenet_receive_radius_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radius_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive radius_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_radius_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radius_client_packets'($*)) dnl - - corenet_dontaudit_send_radius_client_packets($1) - corenet_dontaudit_receive_radius_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radius_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to radius_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_radius_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radius_client_packets'($*)) dnl - - gen_require(` - type radius_client_packet_t; - ') - - allow $1 radius_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_radius_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send radius_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_radius_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_radius_server_packets'($*)) dnl - - gen_require(` - type radius_server_packet_t; - ') - - allow $1 radius_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_radius_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send radius_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_radius_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radius_server_packets'($*)) dnl - - gen_require(` - type radius_server_packet_t; - ') - - dontaudit $1 radius_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radius_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive radius_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_radius_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_radius_server_packets'($*)) dnl - - gen_require(` - type radius_server_packet_t; - ') - - allow $1 radius_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_radius_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive radius_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_radius_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radius_server_packets'($*)) dnl - - gen_require(` - type radius_server_packet_t; - ') - - dontaudit $1 radius_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radius_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive radius_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_radius_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radius_server_packets'($*)) dnl - - corenet_send_radius_server_packets($1) - corenet_receive_radius_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radius_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive radius_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_radius_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radius_server_packets'($*)) dnl - - corenet_dontaudit_send_radius_server_packets($1) - corenet_dontaudit_receive_radius_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radius_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to radius_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_radius_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radius_server_packets'($*)) dnl - - gen_require(` - type radius_server_packet_t; - ') - - allow $1 radius_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_radius_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the radsec port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radsec_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radsec_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the radsec port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radsec_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_radsec_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the radsec port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radsec_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radsec_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the radsec port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radsec_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radsec_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the radsec port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radsec_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radsec_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the radsec port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radsec_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radsec_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the radsec port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radsec_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radsec_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the radsec port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radsec_port'($*)) dnl - - gen_require(` - type radsec_port_t; - ') - - allow $1 radsec_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radsec_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the radsec port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radsec_port'($*)) dnl - - gen_require(` - type radsec_port_t; - ') - - allow $1 radsec_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radsec_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the radsec port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_radsec_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radsec_port'($*)) dnl - - gen_require(` - type radsec_port_t; - ') - - allow $1 radsec_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radsec_port'($*)) dnl - ') - - - -######################################## -## -## Send radsec_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_radsec_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_radsec_client_packets'($*)) dnl - - gen_require(` - type radsec_client_packet_t; - ') - - allow $1 radsec_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_radsec_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send radsec_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_radsec_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radsec_client_packets'($*)) dnl - - gen_require(` - type radsec_client_packet_t; - ') - - dontaudit $1 radsec_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radsec_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive radsec_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_radsec_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_radsec_client_packets'($*)) dnl - - gen_require(` - type radsec_client_packet_t; - ') - - allow $1 radsec_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_radsec_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive radsec_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_radsec_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radsec_client_packets'($*)) dnl - - gen_require(` - type radsec_client_packet_t; - ') - - dontaudit $1 radsec_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radsec_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive radsec_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_radsec_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radsec_client_packets'($*)) dnl - - corenet_send_radsec_client_packets($1) - corenet_receive_radsec_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radsec_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive radsec_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_radsec_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radsec_client_packets'($*)) dnl - - corenet_dontaudit_send_radsec_client_packets($1) - corenet_dontaudit_receive_radsec_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radsec_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to radsec_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_radsec_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radsec_client_packets'($*)) dnl - - gen_require(` - type radsec_client_packet_t; - ') - - allow $1 radsec_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_radsec_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send radsec_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_radsec_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_radsec_server_packets'($*)) dnl - - gen_require(` - type radsec_server_packet_t; - ') - - allow $1 radsec_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_radsec_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send radsec_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_radsec_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radsec_server_packets'($*)) dnl - - gen_require(` - type radsec_server_packet_t; - ') - - dontaudit $1 radsec_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radsec_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive radsec_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_radsec_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_radsec_server_packets'($*)) dnl - - gen_require(` - type radsec_server_packet_t; - ') - - allow $1 radsec_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_radsec_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive radsec_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_radsec_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radsec_server_packets'($*)) dnl - - gen_require(` - type radsec_server_packet_t; - ') - - dontaudit $1 radsec_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radsec_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive radsec_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_radsec_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radsec_server_packets'($*)) dnl - - corenet_send_radsec_server_packets($1) - corenet_receive_radsec_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radsec_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive radsec_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_radsec_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radsec_server_packets'($*)) dnl - - corenet_dontaudit_send_radsec_server_packets($1) - corenet_dontaudit_receive_radsec_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radsec_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to radsec_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_radsec_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radsec_server_packets'($*)) dnl - - gen_require(` - type radsec_server_packet_t; - ') - - allow $1 radsec_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_radsec_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the razor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_razor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_razor_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the razor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_razor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_razor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the razor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_razor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_razor_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the razor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_razor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_razor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the razor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_razor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_razor_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the razor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_razor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_razor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the razor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_razor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_razor_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the razor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_razor_port'($*)) dnl - - gen_require(` - type razor_port_t; - ') - - allow $1 razor_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_razor_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the razor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_razor_port'($*)) dnl - - gen_require(` - type razor_port_t; - ') - - allow $1 razor_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_razor_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the razor port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_razor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_razor_port'($*)) dnl - - gen_require(` - type razor_port_t; - ') - - allow $1 razor_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_razor_port'($*)) dnl - ') - - - -######################################## -## -## Send razor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_razor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_razor_client_packets'($*)) dnl - - gen_require(` - type razor_client_packet_t; - ') - - allow $1 razor_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_razor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send razor_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_razor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_razor_client_packets'($*)) dnl - - gen_require(` - type razor_client_packet_t; - ') - - dontaudit $1 razor_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_razor_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive razor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_razor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_razor_client_packets'($*)) dnl - - gen_require(` - type razor_client_packet_t; - ') - - allow $1 razor_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_razor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive razor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_razor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_razor_client_packets'($*)) dnl - - gen_require(` - type razor_client_packet_t; - ') - - dontaudit $1 razor_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_razor_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive razor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_razor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_razor_client_packets'($*)) dnl - - corenet_send_razor_client_packets($1) - corenet_receive_razor_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_razor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive razor_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_razor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_razor_client_packets'($*)) dnl - - corenet_dontaudit_send_razor_client_packets($1) - corenet_dontaudit_receive_razor_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_razor_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to razor_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_razor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_razor_client_packets'($*)) dnl - - gen_require(` - type razor_client_packet_t; - ') - - allow $1 razor_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_razor_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send razor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_razor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_razor_server_packets'($*)) dnl - - gen_require(` - type razor_server_packet_t; - ') - - allow $1 razor_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_razor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send razor_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_razor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_razor_server_packets'($*)) dnl - - gen_require(` - type razor_server_packet_t; - ') - - dontaudit $1 razor_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_razor_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive razor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_razor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_razor_server_packets'($*)) dnl - - gen_require(` - type razor_server_packet_t; - ') - - allow $1 razor_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_razor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive razor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_razor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_razor_server_packets'($*)) dnl - - gen_require(` - type razor_server_packet_t; - ') - - dontaudit $1 razor_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_razor_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive razor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_razor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_razor_server_packets'($*)) dnl - - corenet_send_razor_server_packets($1) - corenet_receive_razor_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_razor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive razor_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_razor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_razor_server_packets'($*)) dnl - - corenet_dontaudit_send_razor_server_packets($1) - corenet_dontaudit_receive_razor_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_razor_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to razor_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_razor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_razor_server_packets'($*)) dnl - - gen_require(` - type razor_server_packet_t; - ') - - allow $1 razor_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_razor_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the redis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_redis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_redis_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the redis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_redis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_redis_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the redis port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_redis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_redis_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the redis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_redis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_redis_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the redis port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_redis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_redis_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the redis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_redis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_redis_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the redis port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_redis_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_redis_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the redis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_redis_port'($*)) dnl - - gen_require(` - type redis_port_t; - ') - - allow $1 redis_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_redis_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the redis port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_redis_port'($*)) dnl - - gen_require(` - type redis_port_t; - ') - - allow $1 redis_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_redis_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the redis port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_redis_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_redis_port'($*)) dnl - - gen_require(` - type redis_port_t; - ') - - allow $1 redis_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_redis_port'($*)) dnl - ') - - - -######################################## -## -## Send redis_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_redis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_redis_client_packets'($*)) dnl - - gen_require(` - type redis_client_packet_t; - ') - - allow $1 redis_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_redis_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send redis_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_redis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_redis_client_packets'($*)) dnl - - gen_require(` - type redis_client_packet_t; - ') - - dontaudit $1 redis_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_redis_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive redis_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_redis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_redis_client_packets'($*)) dnl - - gen_require(` - type redis_client_packet_t; - ') - - allow $1 redis_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_redis_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive redis_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_redis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_redis_client_packets'($*)) dnl - - gen_require(` - type redis_client_packet_t; - ') - - dontaudit $1 redis_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_redis_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive redis_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_redis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_redis_client_packets'($*)) dnl - - corenet_send_redis_client_packets($1) - corenet_receive_redis_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_redis_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive redis_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_redis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_redis_client_packets'($*)) dnl - - corenet_dontaudit_send_redis_client_packets($1) - corenet_dontaudit_receive_redis_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_redis_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to redis_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_redis_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_redis_client_packets'($*)) dnl - - gen_require(` - type redis_client_packet_t; - ') - - allow $1 redis_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_redis_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send redis_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_redis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_redis_server_packets'($*)) dnl - - gen_require(` - type redis_server_packet_t; - ') - - allow $1 redis_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_redis_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send redis_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_redis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_redis_server_packets'($*)) dnl - - gen_require(` - type redis_server_packet_t; - ') - - dontaudit $1 redis_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_redis_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive redis_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_redis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_redis_server_packets'($*)) dnl - - gen_require(` - type redis_server_packet_t; - ') - - allow $1 redis_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_redis_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive redis_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_redis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_redis_server_packets'($*)) dnl - - gen_require(` - type redis_server_packet_t; - ') - - dontaudit $1 redis_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_redis_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive redis_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_redis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_redis_server_packets'($*)) dnl - - corenet_send_redis_server_packets($1) - corenet_receive_redis_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_redis_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive redis_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_redis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_redis_server_packets'($*)) dnl - - corenet_dontaudit_send_redis_server_packets($1) - corenet_dontaudit_receive_redis_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_redis_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to redis_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_redis_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_redis_server_packets'($*)) dnl - - gen_require(` - type redis_server_packet_t; - ') - - allow $1 redis_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_redis_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the repository port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_repository_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_repository_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the repository port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_repository_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_repository_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the repository port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_repository_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_repository_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the repository port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_repository_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_repository_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the repository port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_repository_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_repository_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the repository port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_repository_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_repository_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the repository port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_repository_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_repository_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the repository port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_repository_port'($*)) dnl - - gen_require(` - type repository_port_t; - ') - - allow $1 repository_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_repository_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the repository port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_repository_port'($*)) dnl - - gen_require(` - type repository_port_t; - ') - - allow $1 repository_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_repository_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the repository port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_repository_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_repository_port'($*)) dnl - - gen_require(` - type repository_port_t; - ') - - allow $1 repository_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_repository_port'($*)) dnl - ') - - - -######################################## -## -## Send repository_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_repository_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_repository_client_packets'($*)) dnl - - gen_require(` - type repository_client_packet_t; - ') - - allow $1 repository_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_repository_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send repository_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_repository_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_repository_client_packets'($*)) dnl - - gen_require(` - type repository_client_packet_t; - ') - - dontaudit $1 repository_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_repository_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive repository_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_repository_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_repository_client_packets'($*)) dnl - - gen_require(` - type repository_client_packet_t; - ') - - allow $1 repository_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_repository_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive repository_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_repository_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_repository_client_packets'($*)) dnl - - gen_require(` - type repository_client_packet_t; - ') - - dontaudit $1 repository_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_repository_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive repository_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_repository_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_repository_client_packets'($*)) dnl - - corenet_send_repository_client_packets($1) - corenet_receive_repository_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_repository_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive repository_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_repository_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_repository_client_packets'($*)) dnl - - corenet_dontaudit_send_repository_client_packets($1) - corenet_dontaudit_receive_repository_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_repository_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to repository_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_repository_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_repository_client_packets'($*)) dnl - - gen_require(` - type repository_client_packet_t; - ') - - allow $1 repository_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_repository_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send repository_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_repository_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_repository_server_packets'($*)) dnl - - gen_require(` - type repository_server_packet_t; - ') - - allow $1 repository_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_repository_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send repository_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_repository_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_repository_server_packets'($*)) dnl - - gen_require(` - type repository_server_packet_t; - ') - - dontaudit $1 repository_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_repository_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive repository_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_repository_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_repository_server_packets'($*)) dnl - - gen_require(` - type repository_server_packet_t; - ') - - allow $1 repository_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_repository_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive repository_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_repository_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_repository_server_packets'($*)) dnl - - gen_require(` - type repository_server_packet_t; - ') - - dontaudit $1 repository_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_repository_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive repository_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_repository_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_repository_server_packets'($*)) dnl - - corenet_send_repository_server_packets($1) - corenet_receive_repository_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_repository_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive repository_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_repository_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_repository_server_packets'($*)) dnl - - corenet_dontaudit_send_repository_server_packets($1) - corenet_dontaudit_receive_repository_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_repository_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to repository_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_repository_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_repository_server_packets'($*)) dnl - - gen_require(` - type repository_server_packet_t; - ') - - allow $1 repository_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_repository_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ricci port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ricci_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ricci_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ricci port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ricci_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ricci_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ricci port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ricci_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ricci_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ricci port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ricci_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ricci_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ricci port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ricci_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ricci_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ricci port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ricci_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ricci_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ricci port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ricci_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ricci_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ricci port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ricci_port'($*)) dnl - - gen_require(` - type ricci_port_t; - ') - - allow $1 ricci_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ricci_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ricci port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ricci_port'($*)) dnl - - gen_require(` - type ricci_port_t; - ') - - allow $1 ricci_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ricci_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ricci port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ricci_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ricci_port'($*)) dnl - - gen_require(` - type ricci_port_t; - ') - - allow $1 ricci_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ricci_port'($*)) dnl - ') - - - -######################################## -## -## Send ricci_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ricci_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_client_packets'($*)) dnl - - gen_require(` - type ricci_client_packet_t; - ') - - allow $1 ricci_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ricci_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ricci_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ricci_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_client_packets'($*)) dnl - - gen_require(` - type ricci_client_packet_t; - ') - - dontaudit $1 ricci_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ricci_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ricci_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_client_packets'($*)) dnl - - gen_require(` - type ricci_client_packet_t; - ') - - allow $1 ricci_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ricci_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ricci_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_client_packets'($*)) dnl - - gen_require(` - type ricci_client_packet_t; - ') - - dontaudit $1 ricci_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ricci_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ricci_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_client_packets'($*)) dnl - - corenet_send_ricci_client_packets($1) - corenet_receive_ricci_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ricci_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ricci_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_client_packets'($*)) dnl - - corenet_dontaudit_send_ricci_client_packets($1) - corenet_dontaudit_receive_ricci_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ricci_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ricci_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_client_packets'($*)) dnl - - gen_require(` - type ricci_client_packet_t; - ') - - allow $1 ricci_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ricci_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ricci_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_server_packets'($*)) dnl - - gen_require(` - type ricci_server_packet_t; - ') - - allow $1 ricci_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ricci_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ricci_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ricci_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_server_packets'($*)) dnl - - gen_require(` - type ricci_server_packet_t; - ') - - dontaudit $1 ricci_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ricci_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ricci_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_server_packets'($*)) dnl - - gen_require(` - type ricci_server_packet_t; - ') - - allow $1 ricci_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ricci_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ricci_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_server_packets'($*)) dnl - - gen_require(` - type ricci_server_packet_t; - ') - - dontaudit $1 ricci_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ricci_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ricci_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_server_packets'($*)) dnl - - corenet_send_ricci_server_packets($1) - corenet_receive_ricci_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ricci_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ricci_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_server_packets'($*)) dnl - - corenet_dontaudit_send_ricci_server_packets($1) - corenet_dontaudit_receive_ricci_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ricci_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ricci_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_server_packets'($*)) dnl - - gen_require(` - type ricci_server_packet_t; - ') - - allow $1 ricci_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ricci_modcluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ricci_modcluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ricci_modcluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ricci_modcluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ricci_modcluster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ricci_modcluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ricci_modcluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ricci_modcluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ricci_modcluster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ricci_modcluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ricci_modcluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ricci_modcluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ricci_modcluster port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ricci_modcluster_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ricci_modcluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ricci_modcluster_port'($*)) dnl - - gen_require(` - type ricci_modcluster_port_t; - ') - - allow $1 ricci_modcluster_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ricci_modcluster port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ricci_modcluster_port'($*)) dnl - - gen_require(` - type ricci_modcluster_port_t; - ') - - allow $1 ricci_modcluster_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ricci_modcluster_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ricci_modcluster port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ricci_modcluster_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ricci_modcluster_port'($*)) dnl - - gen_require(` - type ricci_modcluster_port_t; - ') - - allow $1 ricci_modcluster_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ricci_modcluster_port'($*)) dnl - ') - - - -######################################## -## -## Send ricci_modcluster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ricci_modcluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_modcluster_client_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_client_packet_t; - ') - - allow $1 ricci_modcluster_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ricci_modcluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ricci_modcluster_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ricci_modcluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_modcluster_client_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_client_packet_t; - ') - - dontaudit $1 ricci_modcluster_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_modcluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ricci_modcluster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ricci_modcluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_modcluster_client_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_client_packet_t; - ') - - allow $1 ricci_modcluster_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_modcluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ricci_modcluster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ricci_modcluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_modcluster_client_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_client_packet_t; - ') - - dontaudit $1 ricci_modcluster_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_modcluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ricci_modcluster_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ricci_modcluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_modcluster_client_packets'($*)) dnl - - corenet_send_ricci_modcluster_client_packets($1) - corenet_receive_ricci_modcluster_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_modcluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ricci_modcluster_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ricci_modcluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_modcluster_client_packets'($*)) dnl - - corenet_dontaudit_send_ricci_modcluster_client_packets($1) - corenet_dontaudit_receive_ricci_modcluster_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_modcluster_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ricci_modcluster_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ricci_modcluster_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_modcluster_client_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_client_packet_t; - ') - - allow $1 ricci_modcluster_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_modcluster_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ricci_modcluster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ricci_modcluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_modcluster_server_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_server_packet_t; - ') - - allow $1 ricci_modcluster_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ricci_modcluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ricci_modcluster_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ricci_modcluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_modcluster_server_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_server_packet_t; - ') - - dontaudit $1 ricci_modcluster_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_modcluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ricci_modcluster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ricci_modcluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_modcluster_server_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_server_packet_t; - ') - - allow $1 ricci_modcluster_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_modcluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ricci_modcluster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ricci_modcluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_modcluster_server_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_server_packet_t; - ') - - dontaudit $1 ricci_modcluster_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_modcluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ricci_modcluster_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ricci_modcluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_modcluster_server_packets'($*)) dnl - - corenet_send_ricci_modcluster_server_packets($1) - corenet_receive_ricci_modcluster_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_modcluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ricci_modcluster_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ricci_modcluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_modcluster_server_packets'($*)) dnl - - corenet_dontaudit_send_ricci_modcluster_server_packets($1) - corenet_dontaudit_receive_ricci_modcluster_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_modcluster_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ricci_modcluster_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ricci_modcluster_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_modcluster_server_packets'($*)) dnl - - gen_require(` - type ricci_modcluster_server_packet_t; - ') - - allow $1 ricci_modcluster_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_modcluster_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the rlogind port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rlogind_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the rlogind port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rlogind_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the rlogind port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rlogind_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the rlogind port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rlogind_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the rlogind port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rlogind_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the rlogind port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rlogind_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the rlogind port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rlogind_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the rlogind port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rlogind_port'($*)) dnl - - gen_require(` - type rlogind_port_t; - ') - - allow $1 rlogind_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the rlogind port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rlogind_port'($*)) dnl - - gen_require(` - type rlogind_port_t; - ') - - allow $1 rlogind_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rlogind_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the rlogind port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_rlogind_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rlogind_port'($*)) dnl - - gen_require(` - type rlogind_port_t; - ') - - allow $1 rlogind_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rlogind_port'($*)) dnl - ') - - - -######################################## -## -## Send rlogind_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rlogind_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rlogind_client_packets'($*)) dnl - - gen_require(` - type rlogind_client_packet_t; - ') - - allow $1 rlogind_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rlogind_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rlogind_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rlogind_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogind_client_packets'($*)) dnl - - gen_require(` - type rlogind_client_packet_t; - ') - - dontaudit $1 rlogind_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogind_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive rlogind_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rlogind_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogind_client_packets'($*)) dnl - - gen_require(` - type rlogind_client_packet_t; - ') - - allow $1 rlogind_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rlogind_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rlogind_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rlogind_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogind_client_packets'($*)) dnl - - gen_require(` - type rlogind_client_packet_t; - ') - - dontaudit $1 rlogind_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogind_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rlogind_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rlogind_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogind_client_packets'($*)) dnl - - corenet_send_rlogind_client_packets($1) - corenet_receive_rlogind_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogind_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rlogind_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rlogind_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogind_client_packets'($*)) dnl - - corenet_dontaudit_send_rlogind_client_packets($1) - corenet_dontaudit_receive_rlogind_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogind_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rlogind_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rlogind_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogind_client_packets'($*)) dnl - - gen_require(` - type rlogind_client_packet_t; - ') - - allow $1 rlogind_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogind_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send rlogind_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rlogind_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rlogind_server_packets'($*)) dnl - - gen_require(` - type rlogind_server_packet_t; - ') - - allow $1 rlogind_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rlogind_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rlogind_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rlogind_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogind_server_packets'($*)) dnl - - gen_require(` - type rlogind_server_packet_t; - ') - - dontaudit $1 rlogind_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogind_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive rlogind_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rlogind_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogind_server_packets'($*)) dnl - - gen_require(` - type rlogind_server_packet_t; - ') - - allow $1 rlogind_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rlogind_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rlogind_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rlogind_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogind_server_packets'($*)) dnl - - gen_require(` - type rlogind_server_packet_t; - ') - - dontaudit $1 rlogind_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogind_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rlogind_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rlogind_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogind_server_packets'($*)) dnl - - corenet_send_rlogind_server_packets($1) - corenet_receive_rlogind_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogind_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rlogind_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rlogind_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogind_server_packets'($*)) dnl - - corenet_dontaudit_send_rlogind_server_packets($1) - corenet_dontaudit_receive_rlogind_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogind_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rlogind_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rlogind_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogind_server_packets'($*)) dnl - - gen_require(` - type rlogind_server_packet_t; - ') - - allow $1 rlogind_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogind_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the rndc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rndc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rndc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the rndc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rndc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_rndc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the rndc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rndc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rndc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the rndc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rndc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rndc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the rndc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rndc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rndc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the rndc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rndc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rndc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the rndc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rndc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rndc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the rndc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rndc_port'($*)) dnl - - gen_require(` - type rndc_port_t; - ') - - allow $1 rndc_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rndc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the rndc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rndc_port'($*)) dnl - - gen_require(` - type rndc_port_t; - ') - - allow $1 rndc_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rndc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the rndc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_rndc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rndc_port'($*)) dnl - - gen_require(` - type rndc_port_t; - ') - - allow $1 rndc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rndc_port'($*)) dnl - ') - - - -######################################## -## -## Send rndc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rndc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rndc_client_packets'($*)) dnl - - gen_require(` - type rndc_client_packet_t; - ') - - allow $1 rndc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rndc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rndc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rndc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rndc_client_packets'($*)) dnl - - gen_require(` - type rndc_client_packet_t; - ') - - dontaudit $1 rndc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rndc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive rndc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rndc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rndc_client_packets'($*)) dnl - - gen_require(` - type rndc_client_packet_t; - ') - - allow $1 rndc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rndc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rndc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rndc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rndc_client_packets'($*)) dnl - - gen_require(` - type rndc_client_packet_t; - ') - - dontaudit $1 rndc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rndc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rndc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rndc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rndc_client_packets'($*)) dnl - - corenet_send_rndc_client_packets($1) - corenet_receive_rndc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rndc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rndc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rndc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rndc_client_packets'($*)) dnl - - corenet_dontaudit_send_rndc_client_packets($1) - corenet_dontaudit_receive_rndc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rndc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rndc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rndc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rndc_client_packets'($*)) dnl - - gen_require(` - type rndc_client_packet_t; - ') - - allow $1 rndc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rndc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send rndc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rndc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rndc_server_packets'($*)) dnl - - gen_require(` - type rndc_server_packet_t; - ') - - allow $1 rndc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rndc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rndc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rndc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rndc_server_packets'($*)) dnl - - gen_require(` - type rndc_server_packet_t; - ') - - dontaudit $1 rndc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rndc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive rndc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rndc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rndc_server_packets'($*)) dnl - - gen_require(` - type rndc_server_packet_t; - ') - - allow $1 rndc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rndc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rndc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rndc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rndc_server_packets'($*)) dnl - - gen_require(` - type rndc_server_packet_t; - ') - - dontaudit $1 rndc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rndc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rndc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rndc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rndc_server_packets'($*)) dnl - - corenet_send_rndc_server_packets($1) - corenet_receive_rndc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rndc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rndc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rndc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rndc_server_packets'($*)) dnl - - corenet_dontaudit_send_rndc_server_packets($1) - corenet_dontaudit_receive_rndc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rndc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rndc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rndc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rndc_server_packets'($*)) dnl - - gen_require(` - type rndc_server_packet_t; - ') - - allow $1 rndc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rndc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the router port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_router_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_router_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the router port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_router_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_router_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the router port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_router_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_router_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the router port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_router_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_router_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the router port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_router_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_router_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the router port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_router_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_router_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the router port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_router_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_router_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the router port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_router_port'($*)) dnl - - gen_require(` - type router_port_t; - ') - - allow $1 router_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_router_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the router port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_router_port'($*)) dnl - - gen_require(` - type router_port_t; - ') - - allow $1 router_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_router_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the router port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_router_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_router_port'($*)) dnl - - gen_require(` - type router_port_t; - ') - - allow $1 router_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_router_port'($*)) dnl - ') - - - -######################################## -## -## Send router_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_router_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_router_client_packets'($*)) dnl - - gen_require(` - type router_client_packet_t; - ') - - allow $1 router_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_router_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send router_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_router_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_router_client_packets'($*)) dnl - - gen_require(` - type router_client_packet_t; - ') - - dontaudit $1 router_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_router_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive router_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_router_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_router_client_packets'($*)) dnl - - gen_require(` - type router_client_packet_t; - ') - - allow $1 router_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_router_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive router_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_router_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_router_client_packets'($*)) dnl - - gen_require(` - type router_client_packet_t; - ') - - dontaudit $1 router_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_router_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive router_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_router_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_router_client_packets'($*)) dnl - - corenet_send_router_client_packets($1) - corenet_receive_router_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_router_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive router_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_router_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_router_client_packets'($*)) dnl - - corenet_dontaudit_send_router_client_packets($1) - corenet_dontaudit_receive_router_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_router_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to router_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_router_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_router_client_packets'($*)) dnl - - gen_require(` - type router_client_packet_t; - ') - - allow $1 router_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_router_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send router_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_router_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_router_server_packets'($*)) dnl - - gen_require(` - type router_server_packet_t; - ') - - allow $1 router_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_router_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send router_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_router_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_router_server_packets'($*)) dnl - - gen_require(` - type router_server_packet_t; - ') - - dontaudit $1 router_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_router_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive router_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_router_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_router_server_packets'($*)) dnl - - gen_require(` - type router_server_packet_t; - ') - - allow $1 router_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_router_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive router_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_router_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_router_server_packets'($*)) dnl - - gen_require(` - type router_server_packet_t; - ') - - dontaudit $1 router_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_router_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive router_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_router_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_router_server_packets'($*)) dnl - - corenet_send_router_server_packets($1) - corenet_receive_router_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_router_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive router_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_router_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_router_server_packets'($*)) dnl - - corenet_dontaudit_send_router_server_packets($1) - corenet_dontaudit_receive_router_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_router_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to router_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_router_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_router_server_packets'($*)) dnl - - gen_require(` - type router_server_packet_t; - ') - - allow $1 router_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_router_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the rsh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rsh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rsh_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the rsh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rsh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_rsh_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the rsh port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rsh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rsh_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the rsh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rsh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rsh_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the rsh port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rsh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rsh_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the rsh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rsh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rsh_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the rsh port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rsh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rsh_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the rsh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rsh_port'($*)) dnl - - gen_require(` - type rsh_port_t; - ') - - allow $1 rsh_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rsh_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the rsh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rsh_port'($*)) dnl - - gen_require(` - type rsh_port_t; - ') - - allow $1 rsh_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rsh_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the rsh port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_rsh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rsh_port'($*)) dnl - - gen_require(` - type rsh_port_t; - ') - - allow $1 rsh_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rsh_port'($*)) dnl - ') - - - -######################################## -## -## Send rsh_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rsh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rsh_client_packets'($*)) dnl - - gen_require(` - type rsh_client_packet_t; - ') - - allow $1 rsh_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rsh_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rsh_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rsh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsh_client_packets'($*)) dnl - - gen_require(` - type rsh_client_packet_t; - ') - - dontaudit $1 rsh_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsh_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive rsh_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rsh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rsh_client_packets'($*)) dnl - - gen_require(` - type rsh_client_packet_t; - ') - - allow $1 rsh_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rsh_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rsh_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rsh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsh_client_packets'($*)) dnl - - gen_require(` - type rsh_client_packet_t; - ') - - dontaudit $1 rsh_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsh_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rsh_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rsh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsh_client_packets'($*)) dnl - - corenet_send_rsh_client_packets($1) - corenet_receive_rsh_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsh_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rsh_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rsh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsh_client_packets'($*)) dnl - - corenet_dontaudit_send_rsh_client_packets($1) - corenet_dontaudit_receive_rsh_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsh_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rsh_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rsh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsh_client_packets'($*)) dnl - - gen_require(` - type rsh_client_packet_t; - ') - - allow $1 rsh_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsh_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send rsh_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rsh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rsh_server_packets'($*)) dnl - - gen_require(` - type rsh_server_packet_t; - ') - - allow $1 rsh_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rsh_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rsh_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rsh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsh_server_packets'($*)) dnl - - gen_require(` - type rsh_server_packet_t; - ') - - dontaudit $1 rsh_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsh_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive rsh_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rsh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rsh_server_packets'($*)) dnl - - gen_require(` - type rsh_server_packet_t; - ') - - allow $1 rsh_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rsh_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rsh_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rsh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsh_server_packets'($*)) dnl - - gen_require(` - type rsh_server_packet_t; - ') - - dontaudit $1 rsh_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsh_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rsh_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rsh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsh_server_packets'($*)) dnl - - corenet_send_rsh_server_packets($1) - corenet_receive_rsh_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsh_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rsh_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rsh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsh_server_packets'($*)) dnl - - corenet_dontaudit_send_rsh_server_packets($1) - corenet_dontaudit_receive_rsh_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsh_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rsh_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rsh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsh_server_packets'($*)) dnl - - gen_require(` - type rsh_server_packet_t; - ') - - allow $1 rsh_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsh_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the rsync port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rsync_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rsync_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the rsync port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rsync_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_rsync_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the rsync port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rsync_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rsync_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the rsync port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rsync_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rsync_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the rsync port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rsync_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rsync_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the rsync port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rsync_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rsync_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the rsync port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rsync_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rsync_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the rsync port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rsync_port'($*)) dnl - - gen_require(` - type rsync_port_t; - ') - - allow $1 rsync_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rsync_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the rsync port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rsync_port'($*)) dnl - - gen_require(` - type rsync_port_t; - ') - - allow $1 rsync_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rsync_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the rsync port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_rsync_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rsync_port'($*)) dnl - - gen_require(` - type rsync_port_t; - ') - - allow $1 rsync_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rsync_port'($*)) dnl - ') - - - -######################################## -## -## Send rsync_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rsync_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rsync_client_packets'($*)) dnl - - gen_require(` - type rsync_client_packet_t; - ') - - allow $1 rsync_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rsync_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rsync_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rsync_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsync_client_packets'($*)) dnl - - gen_require(` - type rsync_client_packet_t; - ') - - dontaudit $1 rsync_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsync_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive rsync_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rsync_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rsync_client_packets'($*)) dnl - - gen_require(` - type rsync_client_packet_t; - ') - - allow $1 rsync_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rsync_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rsync_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rsync_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsync_client_packets'($*)) dnl - - gen_require(` - type rsync_client_packet_t; - ') - - dontaudit $1 rsync_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsync_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rsync_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rsync_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsync_client_packets'($*)) dnl - - corenet_send_rsync_client_packets($1) - corenet_receive_rsync_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsync_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rsync_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rsync_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsync_client_packets'($*)) dnl - - corenet_dontaudit_send_rsync_client_packets($1) - corenet_dontaudit_receive_rsync_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsync_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rsync_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rsync_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsync_client_packets'($*)) dnl - - gen_require(` - type rsync_client_packet_t; - ') - - allow $1 rsync_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsync_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send rsync_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rsync_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rsync_server_packets'($*)) dnl - - gen_require(` - type rsync_server_packet_t; - ') - - allow $1 rsync_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rsync_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rsync_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rsync_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsync_server_packets'($*)) dnl - - gen_require(` - type rsync_server_packet_t; - ') - - dontaudit $1 rsync_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsync_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive rsync_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rsync_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rsync_server_packets'($*)) dnl - - gen_require(` - type rsync_server_packet_t; - ') - - allow $1 rsync_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rsync_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rsync_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rsync_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsync_server_packets'($*)) dnl - - gen_require(` - type rsync_server_packet_t; - ') - - dontaudit $1 rsync_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsync_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rsync_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rsync_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsync_server_packets'($*)) dnl - - corenet_send_rsync_server_packets($1) - corenet_receive_rsync_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsync_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rsync_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rsync_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsync_server_packets'($*)) dnl - - corenet_dontaudit_send_rsync_server_packets($1) - corenet_dontaudit_receive_rsync_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsync_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rsync_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rsync_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsync_server_packets'($*)) dnl - - gen_require(` - type rsync_server_packet_t; - ') - - allow $1 rsync_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsync_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the rtorrent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rtorrent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the rtorrent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rtorrent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the rtorrent port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rtorrent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the rtorrent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rtorrent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the rtorrent port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rtorrent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the rtorrent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rtorrent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the rtorrent port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rtorrent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the rtorrent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rtorrent_port'($*)) dnl - - gen_require(` - type rtorrent_port_t; - ') - - allow $1 rtorrent_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the rtorrent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rtorrent_port'($*)) dnl - - gen_require(` - type rtorrent_port_t; - ') - - allow $1 rtorrent_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rtorrent_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the rtorrent port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_rtorrent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rtorrent_port'($*)) dnl - - gen_require(` - type rtorrent_port_t; - ') - - allow $1 rtorrent_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rtorrent_port'($*)) dnl - ') - - - -######################################## -## -## Send rtorrent_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rtorrent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rtorrent_client_packets'($*)) dnl - - gen_require(` - type rtorrent_client_packet_t; - ') - - allow $1 rtorrent_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rtorrent_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rtorrent_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rtorrent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtorrent_client_packets'($*)) dnl - - gen_require(` - type rtorrent_client_packet_t; - ') - - dontaudit $1 rtorrent_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtorrent_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive rtorrent_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rtorrent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rtorrent_client_packets'($*)) dnl - - gen_require(` - type rtorrent_client_packet_t; - ') - - allow $1 rtorrent_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rtorrent_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rtorrent_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rtorrent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtorrent_client_packets'($*)) dnl - - gen_require(` - type rtorrent_client_packet_t; - ') - - dontaudit $1 rtorrent_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtorrent_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rtorrent_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rtorrent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtorrent_client_packets'($*)) dnl - - corenet_send_rtorrent_client_packets($1) - corenet_receive_rtorrent_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtorrent_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rtorrent_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rtorrent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtorrent_client_packets'($*)) dnl - - corenet_dontaudit_send_rtorrent_client_packets($1) - corenet_dontaudit_receive_rtorrent_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtorrent_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rtorrent_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rtorrent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtorrent_client_packets'($*)) dnl - - gen_require(` - type rtorrent_client_packet_t; - ') - - allow $1 rtorrent_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtorrent_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send rtorrent_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rtorrent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rtorrent_server_packets'($*)) dnl - - gen_require(` - type rtorrent_server_packet_t; - ') - - allow $1 rtorrent_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rtorrent_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rtorrent_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rtorrent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtorrent_server_packets'($*)) dnl - - gen_require(` - type rtorrent_server_packet_t; - ') - - dontaudit $1 rtorrent_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtorrent_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive rtorrent_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rtorrent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rtorrent_server_packets'($*)) dnl - - gen_require(` - type rtorrent_server_packet_t; - ') - - allow $1 rtorrent_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rtorrent_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rtorrent_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rtorrent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtorrent_server_packets'($*)) dnl - - gen_require(` - type rtorrent_server_packet_t; - ') - - dontaudit $1 rtorrent_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtorrent_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rtorrent_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rtorrent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtorrent_server_packets'($*)) dnl - - corenet_send_rtorrent_server_packets($1) - corenet_receive_rtorrent_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtorrent_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rtorrent_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rtorrent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtorrent_server_packets'($*)) dnl - - corenet_dontaudit_send_rtorrent_server_packets($1) - corenet_dontaudit_receive_rtorrent_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtorrent_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rtorrent_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rtorrent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtorrent_server_packets'($*)) dnl - - gen_require(` - type rtorrent_server_packet_t; - ') - - allow $1 rtorrent_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtorrent_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the rtsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rtsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the rtsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rtsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the rtsp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rtsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the rtsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rtsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the rtsp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rtsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the rtsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rtsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the rtsp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rtsp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the rtsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rtsp_port'($*)) dnl - - gen_require(` - type rtsp_port_t; - ') - - allow $1 rtsp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the rtsp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rtsp_port'($*)) dnl - - gen_require(` - type rtsp_port_t; - ') - - allow $1 rtsp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rtsp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the rtsp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_rtsp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rtsp_port'($*)) dnl - - gen_require(` - type rtsp_port_t; - ') - - allow $1 rtsp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rtsp_port'($*)) dnl - ') - - - -######################################## -## -## Send rtsp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rtsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rtsp_client_packets'($*)) dnl - - gen_require(` - type rtsp_client_packet_t; - ') - - allow $1 rtsp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rtsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rtsp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rtsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsp_client_packets'($*)) dnl - - gen_require(` - type rtsp_client_packet_t; - ') - - dontaudit $1 rtsp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive rtsp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rtsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsp_client_packets'($*)) dnl - - gen_require(` - type rtsp_client_packet_t; - ') - - allow $1 rtsp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rtsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rtsp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rtsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsp_client_packets'($*)) dnl - - gen_require(` - type rtsp_client_packet_t; - ') - - dontaudit $1 rtsp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rtsp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rtsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsp_client_packets'($*)) dnl - - corenet_send_rtsp_client_packets($1) - corenet_receive_rtsp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rtsp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rtsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsp_client_packets'($*)) dnl - - corenet_dontaudit_send_rtsp_client_packets($1) - corenet_dontaudit_receive_rtsp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rtsp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rtsp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsp_client_packets'($*)) dnl - - gen_require(` - type rtsp_client_packet_t; - ') - - allow $1 rtsp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send rtsp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rtsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rtsp_server_packets'($*)) dnl - - gen_require(` - type rtsp_server_packet_t; - ') - - allow $1 rtsp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rtsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rtsp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rtsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsp_server_packets'($*)) dnl - - gen_require(` - type rtsp_server_packet_t; - ') - - dontaudit $1 rtsp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive rtsp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rtsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsp_server_packets'($*)) dnl - - gen_require(` - type rtsp_server_packet_t; - ') - - allow $1 rtsp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rtsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rtsp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rtsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsp_server_packets'($*)) dnl - - gen_require(` - type rtsp_server_packet_t; - ') - - dontaudit $1 rtsp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rtsp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rtsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsp_server_packets'($*)) dnl - - corenet_send_rtsp_server_packets($1) - corenet_receive_rtsp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rtsp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rtsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsp_server_packets'($*)) dnl - - corenet_dontaudit_send_rtsp_server_packets($1) - corenet_dontaudit_receive_rtsp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rtsp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rtsp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsp_server_packets'($*)) dnl - - gen_require(` - type rtsp_server_packet_t; - ') - - allow $1 rtsp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the rwho port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rwho_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rwho_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the rwho port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rwho_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_rwho_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the rwho port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rwho_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rwho_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the rwho port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rwho_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rwho_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the rwho port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rwho_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rwho_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the rwho port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rwho_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rwho_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the rwho port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rwho_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rwho_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the rwho port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rwho_port'($*)) dnl - - gen_require(` - type rwho_port_t; - ') - - allow $1 rwho_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rwho_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the rwho port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rwho_port'($*)) dnl - - gen_require(` - type rwho_port_t; - ') - - allow $1 rwho_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rwho_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the rwho port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_rwho_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rwho_port'($*)) dnl - - gen_require(` - type rwho_port_t; - ') - - allow $1 rwho_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rwho_port'($*)) dnl - ') - - - -######################################## -## -## Send rwho_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rwho_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rwho_client_packets'($*)) dnl - - gen_require(` - type rwho_client_packet_t; - ') - - allow $1 rwho_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rwho_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rwho_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rwho_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rwho_client_packets'($*)) dnl - - gen_require(` - type rwho_client_packet_t; - ') - - dontaudit $1 rwho_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rwho_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive rwho_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rwho_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rwho_client_packets'($*)) dnl - - gen_require(` - type rwho_client_packet_t; - ') - - allow $1 rwho_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rwho_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rwho_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rwho_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rwho_client_packets'($*)) dnl - - gen_require(` - type rwho_client_packet_t; - ') - - dontaudit $1 rwho_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rwho_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rwho_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rwho_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rwho_client_packets'($*)) dnl - - corenet_send_rwho_client_packets($1) - corenet_receive_rwho_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rwho_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rwho_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rwho_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rwho_client_packets'($*)) dnl - - corenet_dontaudit_send_rwho_client_packets($1) - corenet_dontaudit_receive_rwho_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rwho_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rwho_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rwho_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rwho_client_packets'($*)) dnl - - gen_require(` - type rwho_client_packet_t; - ') - - allow $1 rwho_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rwho_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send rwho_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_rwho_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_rwho_server_packets'($*)) dnl - - gen_require(` - type rwho_server_packet_t; - ') - - allow $1 rwho_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_rwho_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send rwho_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_rwho_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rwho_server_packets'($*)) dnl - - gen_require(` - type rwho_server_packet_t; - ') - - dontaudit $1 rwho_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rwho_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive rwho_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_rwho_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_rwho_server_packets'($*)) dnl - - gen_require(` - type rwho_server_packet_t; - ') - - allow $1 rwho_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_rwho_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive rwho_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_rwho_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rwho_server_packets'($*)) dnl - - gen_require(` - type rwho_server_packet_t; - ') - - dontaudit $1 rwho_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rwho_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive rwho_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_rwho_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rwho_server_packets'($*)) dnl - - corenet_send_rwho_server_packets($1) - corenet_receive_rwho_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rwho_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive rwho_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_rwho_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rwho_server_packets'($*)) dnl - - corenet_dontaudit_send_rwho_server_packets($1) - corenet_dontaudit_receive_rwho_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rwho_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to rwho_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_rwho_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rwho_server_packets'($*)) dnl - - gen_require(` - type rwho_server_packet_t; - ') - - allow $1 rwho_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_rwho_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the salt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_salt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_salt_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the salt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_salt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_salt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the salt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_salt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_salt_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the salt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_salt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_salt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the salt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_salt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_salt_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the salt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_salt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_salt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the salt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_salt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_salt_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the salt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_salt_port'($*)) dnl - - gen_require(` - type salt_port_t; - ') - - allow $1 salt_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_salt_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the salt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_salt_port'($*)) dnl - - gen_require(` - type salt_port_t; - ') - - allow $1 salt_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_salt_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the salt port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_salt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_salt_port'($*)) dnl - - gen_require(` - type salt_port_t; - ') - - allow $1 salt_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_salt_port'($*)) dnl - ') - - - -######################################## -## -## Send salt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_salt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_salt_client_packets'($*)) dnl - - gen_require(` - type salt_client_packet_t; - ') - - allow $1 salt_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_salt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send salt_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_salt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_salt_client_packets'($*)) dnl - - gen_require(` - type salt_client_packet_t; - ') - - dontaudit $1 salt_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_salt_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive salt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_salt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_salt_client_packets'($*)) dnl - - gen_require(` - type salt_client_packet_t; - ') - - allow $1 salt_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_salt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive salt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_salt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_salt_client_packets'($*)) dnl - - gen_require(` - type salt_client_packet_t; - ') - - dontaudit $1 salt_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_salt_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive salt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_salt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_salt_client_packets'($*)) dnl - - corenet_send_salt_client_packets($1) - corenet_receive_salt_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_salt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive salt_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_salt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_salt_client_packets'($*)) dnl - - corenet_dontaudit_send_salt_client_packets($1) - corenet_dontaudit_receive_salt_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_salt_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to salt_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_salt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_salt_client_packets'($*)) dnl - - gen_require(` - type salt_client_packet_t; - ') - - allow $1 salt_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_salt_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send salt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_salt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_salt_server_packets'($*)) dnl - - gen_require(` - type salt_server_packet_t; - ') - - allow $1 salt_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_salt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send salt_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_salt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_salt_server_packets'($*)) dnl - - gen_require(` - type salt_server_packet_t; - ') - - dontaudit $1 salt_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_salt_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive salt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_salt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_salt_server_packets'($*)) dnl - - gen_require(` - type salt_server_packet_t; - ') - - allow $1 salt_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_salt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive salt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_salt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_salt_server_packets'($*)) dnl - - gen_require(` - type salt_server_packet_t; - ') - - dontaudit $1 salt_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_salt_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive salt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_salt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_salt_server_packets'($*)) dnl - - corenet_send_salt_server_packets($1) - corenet_receive_salt_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_salt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive salt_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_salt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_salt_server_packets'($*)) dnl - - corenet_dontaudit_send_salt_server_packets($1) - corenet_dontaudit_receive_salt_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_salt_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to salt_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_salt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_salt_server_packets'($*)) dnl - - gen_require(` - type salt_server_packet_t; - ') - - allow $1 salt_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_salt_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the sap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sap_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the sap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_sap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the sap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sap_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the sap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the sap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sap_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the sap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the sap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sap_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the sap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sap_port'($*)) dnl - - gen_require(` - type sap_port_t; - ') - - allow $1 sap_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sap_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the sap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sap_port'($*)) dnl - - gen_require(` - type sap_port_t; - ') - - allow $1 sap_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sap_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the sap port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_sap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sap_port'($*)) dnl - - gen_require(` - type sap_port_t; - ') - - allow $1 sap_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sap_port'($*)) dnl - ') - - - -######################################## -## -## Send sap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sap_client_packets'($*)) dnl - - gen_require(` - type sap_client_packet_t; - ') - - allow $1 sap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sap_client_packets'($*)) dnl - - gen_require(` - type sap_client_packet_t; - ') - - dontaudit $1 sap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sap_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive sap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sap_client_packets'($*)) dnl - - gen_require(` - type sap_client_packet_t; - ') - - allow $1 sap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sap_client_packets'($*)) dnl - - gen_require(` - type sap_client_packet_t; - ') - - dontaudit $1 sap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sap_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sap_client_packets'($*)) dnl - - corenet_send_sap_client_packets($1) - corenet_receive_sap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sap_client_packets'($*)) dnl - - corenet_dontaudit_send_sap_client_packets($1) - corenet_dontaudit_receive_sap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sap_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sap_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sap_client_packets'($*)) dnl - - gen_require(` - type sap_client_packet_t; - ') - - allow $1 sap_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sap_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send sap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sap_server_packets'($*)) dnl - - gen_require(` - type sap_server_packet_t; - ') - - allow $1 sap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sap_server_packets'($*)) dnl - - gen_require(` - type sap_server_packet_t; - ') - - dontaudit $1 sap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sap_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive sap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sap_server_packets'($*)) dnl - - gen_require(` - type sap_server_packet_t; - ') - - allow $1 sap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sap_server_packets'($*)) dnl - - gen_require(` - type sap_server_packet_t; - ') - - dontaudit $1 sap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sap_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sap_server_packets'($*)) dnl - - corenet_send_sap_server_packets($1) - corenet_receive_sap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sap_server_packets'($*)) dnl - - corenet_dontaudit_send_sap_server_packets($1) - corenet_dontaudit_receive_sap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sap_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sap_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sap_server_packets'($*)) dnl - - gen_require(` - type sap_server_packet_t; - ') - - allow $1 sap_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sap_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the servistaitsm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_servistaitsm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the servistaitsm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_servistaitsm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the servistaitsm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_servistaitsm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the servistaitsm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_servistaitsm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the servistaitsm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_servistaitsm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the servistaitsm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_servistaitsm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the servistaitsm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_servistaitsm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the servistaitsm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_servistaitsm_port'($*)) dnl - - gen_require(` - type servistaitsm_port_t; - ') - - allow $1 servistaitsm_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the servistaitsm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_servistaitsm_port'($*)) dnl - - gen_require(` - type servistaitsm_port_t; - ') - - allow $1 servistaitsm_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_servistaitsm_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the servistaitsm port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_servistaitsm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_servistaitsm_port'($*)) dnl - - gen_require(` - type servistaitsm_port_t; - ') - - allow $1 servistaitsm_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_servistaitsm_port'($*)) dnl - ') - - - -######################################## -## -## Send servistaitsm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_servistaitsm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_servistaitsm_client_packets'($*)) dnl - - gen_require(` - type servistaitsm_client_packet_t; - ') - - allow $1 servistaitsm_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_servistaitsm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send servistaitsm_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_servistaitsm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_servistaitsm_client_packets'($*)) dnl - - gen_require(` - type servistaitsm_client_packet_t; - ') - - dontaudit $1 servistaitsm_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_servistaitsm_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive servistaitsm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_servistaitsm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_servistaitsm_client_packets'($*)) dnl - - gen_require(` - type servistaitsm_client_packet_t; - ') - - allow $1 servistaitsm_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_servistaitsm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive servistaitsm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_servistaitsm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_servistaitsm_client_packets'($*)) dnl - - gen_require(` - type servistaitsm_client_packet_t; - ') - - dontaudit $1 servistaitsm_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_servistaitsm_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive servistaitsm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_servistaitsm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_servistaitsm_client_packets'($*)) dnl - - corenet_send_servistaitsm_client_packets($1) - corenet_receive_servistaitsm_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_servistaitsm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive servistaitsm_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_servistaitsm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_servistaitsm_client_packets'($*)) dnl - - corenet_dontaudit_send_servistaitsm_client_packets($1) - corenet_dontaudit_receive_servistaitsm_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_servistaitsm_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to servistaitsm_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_servistaitsm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_servistaitsm_client_packets'($*)) dnl - - gen_require(` - type servistaitsm_client_packet_t; - ') - - allow $1 servistaitsm_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_servistaitsm_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send servistaitsm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_servistaitsm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_servistaitsm_server_packets'($*)) dnl - - gen_require(` - type servistaitsm_server_packet_t; - ') - - allow $1 servistaitsm_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_servistaitsm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send servistaitsm_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_servistaitsm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_servistaitsm_server_packets'($*)) dnl - - gen_require(` - type servistaitsm_server_packet_t; - ') - - dontaudit $1 servistaitsm_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_servistaitsm_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive servistaitsm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_servistaitsm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_servistaitsm_server_packets'($*)) dnl - - gen_require(` - type servistaitsm_server_packet_t; - ') - - allow $1 servistaitsm_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_servistaitsm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive servistaitsm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_servistaitsm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_servistaitsm_server_packets'($*)) dnl - - gen_require(` - type servistaitsm_server_packet_t; - ') - - dontaudit $1 servistaitsm_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_servistaitsm_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive servistaitsm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_servistaitsm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_servistaitsm_server_packets'($*)) dnl - - corenet_send_servistaitsm_server_packets($1) - corenet_receive_servistaitsm_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_servistaitsm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive servistaitsm_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_servistaitsm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_servistaitsm_server_packets'($*)) dnl - - corenet_dontaudit_send_servistaitsm_server_packets($1) - corenet_dontaudit_receive_servistaitsm_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_servistaitsm_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to servistaitsm_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_servistaitsm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_servistaitsm_server_packets'($*)) dnl - - gen_require(` - type servistaitsm_server_packet_t; - ') - - allow $1 servistaitsm_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_servistaitsm_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the sieve port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sieve_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sieve_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the sieve port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sieve_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_sieve_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the sieve port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sieve_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sieve_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the sieve port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sieve_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sieve_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the sieve port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sieve_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sieve_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the sieve port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sieve_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sieve_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the sieve port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sieve_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sieve_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the sieve port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sieve_port'($*)) dnl - - gen_require(` - type sieve_port_t; - ') - - allow $1 sieve_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sieve_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the sieve port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sieve_port'($*)) dnl - - gen_require(` - type sieve_port_t; - ') - - allow $1 sieve_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sieve_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the sieve port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_sieve_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sieve_port'($*)) dnl - - gen_require(` - type sieve_port_t; - ') - - allow $1 sieve_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sieve_port'($*)) dnl - ') - - - -######################################## -## -## Send sieve_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sieve_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sieve_client_packets'($*)) dnl - - gen_require(` - type sieve_client_packet_t; - ') - - allow $1 sieve_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sieve_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sieve_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sieve_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sieve_client_packets'($*)) dnl - - gen_require(` - type sieve_client_packet_t; - ') - - dontaudit $1 sieve_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sieve_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive sieve_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sieve_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sieve_client_packets'($*)) dnl - - gen_require(` - type sieve_client_packet_t; - ') - - allow $1 sieve_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sieve_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sieve_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sieve_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sieve_client_packets'($*)) dnl - - gen_require(` - type sieve_client_packet_t; - ') - - dontaudit $1 sieve_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sieve_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sieve_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sieve_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sieve_client_packets'($*)) dnl - - corenet_send_sieve_client_packets($1) - corenet_receive_sieve_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sieve_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sieve_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sieve_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sieve_client_packets'($*)) dnl - - corenet_dontaudit_send_sieve_client_packets($1) - corenet_dontaudit_receive_sieve_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sieve_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sieve_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sieve_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sieve_client_packets'($*)) dnl - - gen_require(` - type sieve_client_packet_t; - ') - - allow $1 sieve_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sieve_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send sieve_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sieve_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sieve_server_packets'($*)) dnl - - gen_require(` - type sieve_server_packet_t; - ') - - allow $1 sieve_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sieve_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sieve_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sieve_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sieve_server_packets'($*)) dnl - - gen_require(` - type sieve_server_packet_t; - ') - - dontaudit $1 sieve_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sieve_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive sieve_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sieve_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sieve_server_packets'($*)) dnl - - gen_require(` - type sieve_server_packet_t; - ') - - allow $1 sieve_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sieve_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sieve_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sieve_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sieve_server_packets'($*)) dnl - - gen_require(` - type sieve_server_packet_t; - ') - - dontaudit $1 sieve_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sieve_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sieve_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sieve_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sieve_server_packets'($*)) dnl - - corenet_send_sieve_server_packets($1) - corenet_receive_sieve_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sieve_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sieve_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sieve_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sieve_server_packets'($*)) dnl - - corenet_dontaudit_send_sieve_server_packets($1) - corenet_dontaudit_receive_sieve_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sieve_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sieve_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sieve_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sieve_server_packets'($*)) dnl - - gen_require(` - type sieve_server_packet_t; - ') - - allow $1 sieve_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sieve_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the sip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sip_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the sip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_sip_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the sip port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sip_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the sip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sip_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the sip port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sip_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the sip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sip_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the sip port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sip_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sip_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the sip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sip_port'($*)) dnl - - gen_require(` - type sip_port_t; - ') - - allow $1 sip_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sip_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the sip port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sip_port'($*)) dnl - - gen_require(` - type sip_port_t; - ') - - allow $1 sip_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sip_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the sip port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_sip_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sip_port'($*)) dnl - - gen_require(` - type sip_port_t; - ') - - allow $1 sip_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sip_port'($*)) dnl - ') - - - -######################################## -## -## Send sip_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sip_client_packets'($*)) dnl - - gen_require(` - type sip_client_packet_t; - ') - - allow $1 sip_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sip_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sip_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sip_client_packets'($*)) dnl - - gen_require(` - type sip_client_packet_t; - ') - - dontaudit $1 sip_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sip_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive sip_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sip_client_packets'($*)) dnl - - gen_require(` - type sip_client_packet_t; - ') - - allow $1 sip_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sip_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sip_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sip_client_packets'($*)) dnl - - gen_require(` - type sip_client_packet_t; - ') - - dontaudit $1 sip_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sip_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sip_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sip_client_packets'($*)) dnl - - corenet_send_sip_client_packets($1) - corenet_receive_sip_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sip_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sip_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sip_client_packets'($*)) dnl - - corenet_dontaudit_send_sip_client_packets($1) - corenet_dontaudit_receive_sip_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sip_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sip_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sip_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sip_client_packets'($*)) dnl - - gen_require(` - type sip_client_packet_t; - ') - - allow $1 sip_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sip_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send sip_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sip_server_packets'($*)) dnl - - gen_require(` - type sip_server_packet_t; - ') - - allow $1 sip_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sip_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sip_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sip_server_packets'($*)) dnl - - gen_require(` - type sip_server_packet_t; - ') - - dontaudit $1 sip_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sip_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive sip_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sip_server_packets'($*)) dnl - - gen_require(` - type sip_server_packet_t; - ') - - allow $1 sip_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sip_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sip_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sip_server_packets'($*)) dnl - - gen_require(` - type sip_server_packet_t; - ') - - dontaudit $1 sip_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sip_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sip_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sip_server_packets'($*)) dnl - - corenet_send_sip_server_packets($1) - corenet_receive_sip_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sip_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sip_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sip_server_packets'($*)) dnl - - corenet_dontaudit_send_sip_server_packets($1) - corenet_dontaudit_receive_sip_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sip_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sip_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sip_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sip_server_packets'($*)) dnl - - gen_require(` - type sip_server_packet_t; - ') - - allow $1 sip_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sip_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the sixxsconfig port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sixxsconfig_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the sixxsconfig port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sixxsconfig_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the sixxsconfig port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sixxsconfig_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the sixxsconfig port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sixxsconfig_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the sixxsconfig port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sixxsconfig_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the sixxsconfig port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sixxsconfig_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the sixxsconfig port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sixxsconfig_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the sixxsconfig port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sixxsconfig_port'($*)) dnl - - gen_require(` - type sixxsconfig_port_t; - ') - - allow $1 sixxsconfig_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the sixxsconfig port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sixxsconfig_port'($*)) dnl - - gen_require(` - type sixxsconfig_port_t; - ') - - allow $1 sixxsconfig_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sixxsconfig_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the sixxsconfig port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_sixxsconfig_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sixxsconfig_port'($*)) dnl - - gen_require(` - type sixxsconfig_port_t; - ') - - allow $1 sixxsconfig_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sixxsconfig_port'($*)) dnl - ') - - - -######################################## -## -## Send sixxsconfig_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sixxsconfig_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sixxsconfig_client_packets'($*)) dnl - - gen_require(` - type sixxsconfig_client_packet_t; - ') - - allow $1 sixxsconfig_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sixxsconfig_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sixxsconfig_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sixxsconfig_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sixxsconfig_client_packets'($*)) dnl - - gen_require(` - type sixxsconfig_client_packet_t; - ') - - dontaudit $1 sixxsconfig_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sixxsconfig_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive sixxsconfig_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sixxsconfig_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sixxsconfig_client_packets'($*)) dnl - - gen_require(` - type sixxsconfig_client_packet_t; - ') - - allow $1 sixxsconfig_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sixxsconfig_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sixxsconfig_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sixxsconfig_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sixxsconfig_client_packets'($*)) dnl - - gen_require(` - type sixxsconfig_client_packet_t; - ') - - dontaudit $1 sixxsconfig_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sixxsconfig_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sixxsconfig_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sixxsconfig_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sixxsconfig_client_packets'($*)) dnl - - corenet_send_sixxsconfig_client_packets($1) - corenet_receive_sixxsconfig_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sixxsconfig_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sixxsconfig_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sixxsconfig_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sixxsconfig_client_packets'($*)) dnl - - corenet_dontaudit_send_sixxsconfig_client_packets($1) - corenet_dontaudit_receive_sixxsconfig_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sixxsconfig_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sixxsconfig_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sixxsconfig_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sixxsconfig_client_packets'($*)) dnl - - gen_require(` - type sixxsconfig_client_packet_t; - ') - - allow $1 sixxsconfig_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sixxsconfig_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send sixxsconfig_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sixxsconfig_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sixxsconfig_server_packets'($*)) dnl - - gen_require(` - type sixxsconfig_server_packet_t; - ') - - allow $1 sixxsconfig_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sixxsconfig_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sixxsconfig_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sixxsconfig_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sixxsconfig_server_packets'($*)) dnl - - gen_require(` - type sixxsconfig_server_packet_t; - ') - - dontaudit $1 sixxsconfig_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sixxsconfig_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive sixxsconfig_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sixxsconfig_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sixxsconfig_server_packets'($*)) dnl - - gen_require(` - type sixxsconfig_server_packet_t; - ') - - allow $1 sixxsconfig_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sixxsconfig_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sixxsconfig_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sixxsconfig_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sixxsconfig_server_packets'($*)) dnl - - gen_require(` - type sixxsconfig_server_packet_t; - ') - - dontaudit $1 sixxsconfig_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sixxsconfig_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sixxsconfig_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sixxsconfig_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sixxsconfig_server_packets'($*)) dnl - - corenet_send_sixxsconfig_server_packets($1) - corenet_receive_sixxsconfig_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sixxsconfig_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sixxsconfig_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sixxsconfig_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sixxsconfig_server_packets'($*)) dnl - - corenet_dontaudit_send_sixxsconfig_server_packets($1) - corenet_dontaudit_receive_sixxsconfig_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sixxsconfig_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sixxsconfig_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sixxsconfig_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sixxsconfig_server_packets'($*)) dnl - - gen_require(` - type sixxsconfig_server_packet_t; - ') - - allow $1 sixxsconfig_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sixxsconfig_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the smbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smbd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the smbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_smbd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the smbd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smbd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the smbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smbd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the smbd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smbd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the smbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smbd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the smbd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smbd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smbd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the smbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smbd_port'($*)) dnl - - gen_require(` - type smbd_port_t; - ') - - allow $1 smbd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smbd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the smbd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smbd_port'($*)) dnl - - gen_require(` - type smbd_port_t; - ') - - allow $1 smbd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smbd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the smbd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_smbd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smbd_port'($*)) dnl - - gen_require(` - type smbd_port_t; - ') - - allow $1 smbd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smbd_port'($*)) dnl - ') - - - -######################################## -## -## Send smbd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_smbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_smbd_client_packets'($*)) dnl - - gen_require(` - type smbd_client_packet_t; - ') - - allow $1 smbd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_smbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send smbd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_smbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smbd_client_packets'($*)) dnl - - gen_require(` - type smbd_client_packet_t; - ') - - dontaudit $1 smbd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive smbd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_smbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_smbd_client_packets'($*)) dnl - - gen_require(` - type smbd_client_packet_t; - ') - - allow $1 smbd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_smbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive smbd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_smbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smbd_client_packets'($*)) dnl - - gen_require(` - type smbd_client_packet_t; - ') - - dontaudit $1 smbd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive smbd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_smbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smbd_client_packets'($*)) dnl - - corenet_send_smbd_client_packets($1) - corenet_receive_smbd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive smbd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_smbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smbd_client_packets'($*)) dnl - - corenet_dontaudit_send_smbd_client_packets($1) - corenet_dontaudit_receive_smbd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smbd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to smbd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_smbd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smbd_client_packets'($*)) dnl - - gen_require(` - type smbd_client_packet_t; - ') - - allow $1 smbd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_smbd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send smbd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_smbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_smbd_server_packets'($*)) dnl - - gen_require(` - type smbd_server_packet_t; - ') - - allow $1 smbd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_smbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send smbd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_smbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smbd_server_packets'($*)) dnl - - gen_require(` - type smbd_server_packet_t; - ') - - dontaudit $1 smbd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive smbd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_smbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_smbd_server_packets'($*)) dnl - - gen_require(` - type smbd_server_packet_t; - ') - - allow $1 smbd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_smbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive smbd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_smbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smbd_server_packets'($*)) dnl - - gen_require(` - type smbd_server_packet_t; - ') - - dontaudit $1 smbd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive smbd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_smbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smbd_server_packets'($*)) dnl - - corenet_send_smbd_server_packets($1) - corenet_receive_smbd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive smbd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_smbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smbd_server_packets'($*)) dnl - - corenet_dontaudit_send_smbd_server_packets($1) - corenet_dontaudit_receive_smbd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smbd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to smbd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_smbd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smbd_server_packets'($*)) dnl - - gen_require(` - type smbd_server_packet_t; - ') - - allow $1 smbd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_smbd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the smtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smtp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the smtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_smtp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the smtp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smtp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the smtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smtp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the smtp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smtp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the smtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smtp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the smtp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smtp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smtp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the smtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smtp_port'($*)) dnl - - gen_require(` - type smtp_port_t; - ') - - allow $1 smtp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smtp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the smtp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smtp_port'($*)) dnl - - gen_require(` - type smtp_port_t; - ') - - allow $1 smtp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smtp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the smtp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_smtp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smtp_port'($*)) dnl - - gen_require(` - type smtp_port_t; - ') - - allow $1 smtp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smtp_port'($*)) dnl - ') - - - -######################################## -## -## Send smtp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_smtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_smtp_client_packets'($*)) dnl - - gen_require(` - type smtp_client_packet_t; - ') - - allow $1 smtp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_smtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send smtp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_smtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smtp_client_packets'($*)) dnl - - gen_require(` - type smtp_client_packet_t; - ') - - dontaudit $1 smtp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive smtp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_smtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_smtp_client_packets'($*)) dnl - - gen_require(` - type smtp_client_packet_t; - ') - - allow $1 smtp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_smtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive smtp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_smtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smtp_client_packets'($*)) dnl - - gen_require(` - type smtp_client_packet_t; - ') - - dontaudit $1 smtp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive smtp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_smtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smtp_client_packets'($*)) dnl - - corenet_send_smtp_client_packets($1) - corenet_receive_smtp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive smtp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_smtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smtp_client_packets'($*)) dnl - - corenet_dontaudit_send_smtp_client_packets($1) - corenet_dontaudit_receive_smtp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smtp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to smtp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_smtp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smtp_client_packets'($*)) dnl - - gen_require(` - type smtp_client_packet_t; - ') - - allow $1 smtp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_smtp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send smtp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_smtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_smtp_server_packets'($*)) dnl - - gen_require(` - type smtp_server_packet_t; - ') - - allow $1 smtp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_smtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send smtp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_smtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smtp_server_packets'($*)) dnl - - gen_require(` - type smtp_server_packet_t; - ') - - dontaudit $1 smtp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive smtp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_smtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_smtp_server_packets'($*)) dnl - - gen_require(` - type smtp_server_packet_t; - ') - - allow $1 smtp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_smtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive smtp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_smtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smtp_server_packets'($*)) dnl - - gen_require(` - type smtp_server_packet_t; - ') - - dontaudit $1 smtp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive smtp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_smtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smtp_server_packets'($*)) dnl - - corenet_send_smtp_server_packets($1) - corenet_receive_smtp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive smtp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_smtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smtp_server_packets'($*)) dnl - - corenet_dontaudit_send_smtp_server_packets($1) - corenet_dontaudit_receive_smtp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smtp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to smtp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_smtp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smtp_server_packets'($*)) dnl - - gen_require(` - type smtp_server_packet_t; - ') - - allow $1 smtp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_smtp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the snmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_snmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_snmp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the snmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_snmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_snmp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the snmp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_snmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_snmp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the snmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_snmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_snmp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the snmp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_snmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_snmp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the snmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_snmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_snmp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the snmp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_snmp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_snmp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the snmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_snmp_port'($*)) dnl - - gen_require(` - type snmp_port_t; - ') - - allow $1 snmp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_snmp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the snmp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_snmp_port'($*)) dnl - - gen_require(` - type snmp_port_t; - ') - - allow $1 snmp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_snmp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the snmp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_snmp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_snmp_port'($*)) dnl - - gen_require(` - type snmp_port_t; - ') - - allow $1 snmp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_snmp_port'($*)) dnl - ') - - - -######################################## -## -## Send snmp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_snmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_snmp_client_packets'($*)) dnl - - gen_require(` - type snmp_client_packet_t; - ') - - allow $1 snmp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_snmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send snmp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_snmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_snmp_client_packets'($*)) dnl - - gen_require(` - type snmp_client_packet_t; - ') - - dontaudit $1 snmp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_snmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive snmp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_snmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_snmp_client_packets'($*)) dnl - - gen_require(` - type snmp_client_packet_t; - ') - - allow $1 snmp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_snmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive snmp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_snmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_snmp_client_packets'($*)) dnl - - gen_require(` - type snmp_client_packet_t; - ') - - dontaudit $1 snmp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_snmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive snmp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_snmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_snmp_client_packets'($*)) dnl - - corenet_send_snmp_client_packets($1) - corenet_receive_snmp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_snmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive snmp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_snmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_snmp_client_packets'($*)) dnl - - corenet_dontaudit_send_snmp_client_packets($1) - corenet_dontaudit_receive_snmp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_snmp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to snmp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_snmp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_snmp_client_packets'($*)) dnl - - gen_require(` - type snmp_client_packet_t; - ') - - allow $1 snmp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_snmp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send snmp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_snmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_snmp_server_packets'($*)) dnl - - gen_require(` - type snmp_server_packet_t; - ') - - allow $1 snmp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_snmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send snmp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_snmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_snmp_server_packets'($*)) dnl - - gen_require(` - type snmp_server_packet_t; - ') - - dontaudit $1 snmp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_snmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive snmp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_snmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_snmp_server_packets'($*)) dnl - - gen_require(` - type snmp_server_packet_t; - ') - - allow $1 snmp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_snmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive snmp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_snmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_snmp_server_packets'($*)) dnl - - gen_require(` - type snmp_server_packet_t; - ') - - dontaudit $1 snmp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_snmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive snmp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_snmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_snmp_server_packets'($*)) dnl - - corenet_send_snmp_server_packets($1) - corenet_receive_snmp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_snmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive snmp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_snmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_snmp_server_packets'($*)) dnl - - corenet_dontaudit_send_snmp_server_packets($1) - corenet_dontaudit_receive_snmp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_snmp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to snmp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_snmp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_snmp_server_packets'($*)) dnl - - gen_require(` - type snmp_server_packet_t; - ') - - allow $1 snmp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_snmp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the socks port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_socks_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_socks_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the socks port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_socks_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_socks_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the socks port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_socks_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_socks_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the socks port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_socks_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_socks_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the socks port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_socks_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_socks_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the socks port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_socks_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_socks_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the socks port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_socks_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_socks_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the socks port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_socks_port'($*)) dnl - - gen_require(` - type socks_port_t; - ') - - allow $1 socks_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_socks_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the socks port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_socks_port'($*)) dnl - - gen_require(` - type socks_port_t; - ') - - allow $1 socks_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_socks_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the socks port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_socks_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_socks_port'($*)) dnl - - gen_require(` - type socks_port_t; - ') - - allow $1 socks_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_socks_port'($*)) dnl - ') - - - -######################################## -## -## Send socks_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_socks_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_socks_client_packets'($*)) dnl - - gen_require(` - type socks_client_packet_t; - ') - - allow $1 socks_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_socks_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send socks_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_socks_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_socks_client_packets'($*)) dnl - - gen_require(` - type socks_client_packet_t; - ') - - dontaudit $1 socks_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_socks_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive socks_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_socks_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_socks_client_packets'($*)) dnl - - gen_require(` - type socks_client_packet_t; - ') - - allow $1 socks_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_socks_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive socks_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_socks_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_socks_client_packets'($*)) dnl - - gen_require(` - type socks_client_packet_t; - ') - - dontaudit $1 socks_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_socks_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive socks_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_socks_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_socks_client_packets'($*)) dnl - - corenet_send_socks_client_packets($1) - corenet_receive_socks_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_socks_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive socks_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_socks_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_socks_client_packets'($*)) dnl - - corenet_dontaudit_send_socks_client_packets($1) - corenet_dontaudit_receive_socks_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_socks_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to socks_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_socks_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_socks_client_packets'($*)) dnl - - gen_require(` - type socks_client_packet_t; - ') - - allow $1 socks_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_socks_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send socks_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_socks_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_socks_server_packets'($*)) dnl - - gen_require(` - type socks_server_packet_t; - ') - - allow $1 socks_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_socks_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send socks_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_socks_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_socks_server_packets'($*)) dnl - - gen_require(` - type socks_server_packet_t; - ') - - dontaudit $1 socks_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_socks_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive socks_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_socks_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_socks_server_packets'($*)) dnl - - gen_require(` - type socks_server_packet_t; - ') - - allow $1 socks_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_socks_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive socks_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_socks_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_socks_server_packets'($*)) dnl - - gen_require(` - type socks_server_packet_t; - ') - - dontaudit $1 socks_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_socks_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive socks_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_socks_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_socks_server_packets'($*)) dnl - - corenet_send_socks_server_packets($1) - corenet_receive_socks_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_socks_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive socks_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_socks_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_socks_server_packets'($*)) dnl - - corenet_dontaudit_send_socks_server_packets($1) - corenet_dontaudit_receive_socks_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_socks_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to socks_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_socks_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_socks_server_packets'($*)) dnl - - gen_require(` - type socks_server_packet_t; - ') - - allow $1 socks_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_socks_server_packets'($*)) dnl - ') - - - # no defined portcon - - -######################################## -## -## Send and receive TCP traffic on the soundd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_soundd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_soundd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the soundd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_soundd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_soundd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the soundd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_soundd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_soundd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the soundd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_soundd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_soundd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the soundd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_soundd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_soundd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the soundd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_soundd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_soundd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the soundd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_soundd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_soundd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the soundd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_soundd_port'($*)) dnl - - gen_require(` - type soundd_port_t; - ') - - allow $1 soundd_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_soundd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the soundd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_soundd_port'($*)) dnl - - gen_require(` - type soundd_port_t; - ') - - allow $1 soundd_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_soundd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the soundd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_soundd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_soundd_port'($*)) dnl - - gen_require(` - type soundd_port_t; - ') - - allow $1 soundd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_soundd_port'($*)) dnl - ') - - - -######################################## -## -## Send soundd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_soundd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_soundd_client_packets'($*)) dnl - - gen_require(` - type soundd_client_packet_t; - ') - - allow $1 soundd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_soundd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send soundd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_soundd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_soundd_client_packets'($*)) dnl - - gen_require(` - type soundd_client_packet_t; - ') - - dontaudit $1 soundd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_soundd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive soundd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_soundd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_soundd_client_packets'($*)) dnl - - gen_require(` - type soundd_client_packet_t; - ') - - allow $1 soundd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_soundd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive soundd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_soundd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_soundd_client_packets'($*)) dnl - - gen_require(` - type soundd_client_packet_t; - ') - - dontaudit $1 soundd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_soundd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive soundd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_soundd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_soundd_client_packets'($*)) dnl - - corenet_send_soundd_client_packets($1) - corenet_receive_soundd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_soundd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive soundd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_soundd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_soundd_client_packets'($*)) dnl - - corenet_dontaudit_send_soundd_client_packets($1) - corenet_dontaudit_receive_soundd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_soundd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to soundd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_soundd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_soundd_client_packets'($*)) dnl - - gen_require(` - type soundd_client_packet_t; - ') - - allow $1 soundd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_soundd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send soundd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_soundd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_soundd_server_packets'($*)) dnl - - gen_require(` - type soundd_server_packet_t; - ') - - allow $1 soundd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_soundd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send soundd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_soundd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_soundd_server_packets'($*)) dnl - - gen_require(` - type soundd_server_packet_t; - ') - - dontaudit $1 soundd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_soundd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive soundd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_soundd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_soundd_server_packets'($*)) dnl - - gen_require(` - type soundd_server_packet_t; - ') - - allow $1 soundd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_soundd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive soundd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_soundd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_soundd_server_packets'($*)) dnl - - gen_require(` - type soundd_server_packet_t; - ') - - dontaudit $1 soundd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_soundd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive soundd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_soundd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_soundd_server_packets'($*)) dnl - - corenet_send_soundd_server_packets($1) - corenet_receive_soundd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_soundd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive soundd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_soundd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_soundd_server_packets'($*)) dnl - - corenet_dontaudit_send_soundd_server_packets($1) - corenet_dontaudit_receive_soundd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_soundd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to soundd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_soundd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_soundd_server_packets'($*)) dnl - - gen_require(` - type soundd_server_packet_t; - ') - - allow $1 soundd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_soundd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the spamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_spamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_spamd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the spamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_spamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_spamd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the spamd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_spamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_spamd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the spamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_spamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_spamd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the spamd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_spamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_spamd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the spamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_spamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_spamd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the spamd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_spamd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_spamd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the spamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_spamd_port'($*)) dnl - - gen_require(` - type spamd_port_t; - ') - - allow $1 spamd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_spamd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the spamd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_spamd_port'($*)) dnl - - gen_require(` - type spamd_port_t; - ') - - allow $1 spamd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_spamd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the spamd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_spamd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_spamd_port'($*)) dnl - - gen_require(` - type spamd_port_t; - ') - - allow $1 spamd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_spamd_port'($*)) dnl - ') - - - -######################################## -## -## Send spamd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_spamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_spamd_client_packets'($*)) dnl - - gen_require(` - type spamd_client_packet_t; - ') - - allow $1 spamd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_spamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send spamd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_spamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_spamd_client_packets'($*)) dnl - - gen_require(` - type spamd_client_packet_t; - ') - - dontaudit $1 spamd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_spamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive spamd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_spamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_spamd_client_packets'($*)) dnl - - gen_require(` - type spamd_client_packet_t; - ') - - allow $1 spamd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_spamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive spamd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_spamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_spamd_client_packets'($*)) dnl - - gen_require(` - type spamd_client_packet_t; - ') - - dontaudit $1 spamd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_spamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive spamd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_spamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_spamd_client_packets'($*)) dnl - - corenet_send_spamd_client_packets($1) - corenet_receive_spamd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_spamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive spamd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_spamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_spamd_client_packets'($*)) dnl - - corenet_dontaudit_send_spamd_client_packets($1) - corenet_dontaudit_receive_spamd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_spamd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to spamd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_spamd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_spamd_client_packets'($*)) dnl - - gen_require(` - type spamd_client_packet_t; - ') - - allow $1 spamd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_spamd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send spamd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_spamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_spamd_server_packets'($*)) dnl - - gen_require(` - type spamd_server_packet_t; - ') - - allow $1 spamd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_spamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send spamd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_spamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_spamd_server_packets'($*)) dnl - - gen_require(` - type spamd_server_packet_t; - ') - - dontaudit $1 spamd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_spamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive spamd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_spamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_spamd_server_packets'($*)) dnl - - gen_require(` - type spamd_server_packet_t; - ') - - allow $1 spamd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_spamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive spamd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_spamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_spamd_server_packets'($*)) dnl - - gen_require(` - type spamd_server_packet_t; - ') - - dontaudit $1 spamd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_spamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive spamd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_spamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_spamd_server_packets'($*)) dnl - - corenet_send_spamd_server_packets($1) - corenet_receive_spamd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_spamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive spamd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_spamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_spamd_server_packets'($*)) dnl - - corenet_dontaudit_send_spamd_server_packets($1) - corenet_dontaudit_receive_spamd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_spamd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to spamd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_spamd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_spamd_server_packets'($*)) dnl - - gen_require(` - type spamd_server_packet_t; - ') - - allow $1 spamd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_spamd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the speech port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_speech_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_speech_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the speech port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_speech_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_speech_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the speech port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_speech_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_speech_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the speech port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_speech_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_speech_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the speech port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_speech_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_speech_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the speech port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_speech_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_speech_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the speech port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_speech_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_speech_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the speech port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_speech_port'($*)) dnl - - gen_require(` - type speech_port_t; - ') - - allow $1 speech_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_speech_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the speech port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_speech_port'($*)) dnl - - gen_require(` - type speech_port_t; - ') - - allow $1 speech_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_speech_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the speech port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_speech_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_speech_port'($*)) dnl - - gen_require(` - type speech_port_t; - ') - - allow $1 speech_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_speech_port'($*)) dnl - ') - - - -######################################## -## -## Send speech_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_speech_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_speech_client_packets'($*)) dnl - - gen_require(` - type speech_client_packet_t; - ') - - allow $1 speech_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_speech_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send speech_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_speech_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_speech_client_packets'($*)) dnl - - gen_require(` - type speech_client_packet_t; - ') - - dontaudit $1 speech_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_speech_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive speech_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_speech_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_speech_client_packets'($*)) dnl - - gen_require(` - type speech_client_packet_t; - ') - - allow $1 speech_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_speech_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive speech_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_speech_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_speech_client_packets'($*)) dnl - - gen_require(` - type speech_client_packet_t; - ') - - dontaudit $1 speech_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_speech_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive speech_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_speech_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_speech_client_packets'($*)) dnl - - corenet_send_speech_client_packets($1) - corenet_receive_speech_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_speech_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive speech_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_speech_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_speech_client_packets'($*)) dnl - - corenet_dontaudit_send_speech_client_packets($1) - corenet_dontaudit_receive_speech_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_speech_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to speech_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_speech_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_speech_client_packets'($*)) dnl - - gen_require(` - type speech_client_packet_t; - ') - - allow $1 speech_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_speech_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send speech_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_speech_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_speech_server_packets'($*)) dnl - - gen_require(` - type speech_server_packet_t; - ') - - allow $1 speech_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_speech_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send speech_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_speech_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_speech_server_packets'($*)) dnl - - gen_require(` - type speech_server_packet_t; - ') - - dontaudit $1 speech_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_speech_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive speech_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_speech_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_speech_server_packets'($*)) dnl - - gen_require(` - type speech_server_packet_t; - ') - - allow $1 speech_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_speech_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive speech_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_speech_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_speech_server_packets'($*)) dnl - - gen_require(` - type speech_server_packet_t; - ') - - dontaudit $1 speech_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_speech_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive speech_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_speech_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_speech_server_packets'($*)) dnl - - corenet_send_speech_server_packets($1) - corenet_receive_speech_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_speech_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive speech_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_speech_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_speech_server_packets'($*)) dnl - - corenet_dontaudit_send_speech_server_packets($1) - corenet_dontaudit_receive_speech_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_speech_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to speech_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_speech_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_speech_server_packets'($*)) dnl - - gen_require(` - type speech_server_packet_t; - ') - - allow $1 speech_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_speech_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the squid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_squid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_squid_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the squid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_squid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_squid_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the squid port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_squid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_squid_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the squid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_squid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_squid_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the squid port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_squid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_squid_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the squid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_squid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_squid_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the squid port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_squid_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_squid_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the squid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_squid_port'($*)) dnl - - gen_require(` - type squid_port_t; - ') - - allow $1 squid_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_squid_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the squid port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_squid_port'($*)) dnl - - gen_require(` - type squid_port_t; - ') - - allow $1 squid_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_squid_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the squid port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_squid_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_squid_port'($*)) dnl - - gen_require(` - type squid_port_t; - ') - - allow $1 squid_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_squid_port'($*)) dnl - ') - - - -######################################## -## -## Send squid_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_squid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_squid_client_packets'($*)) dnl - - gen_require(` - type squid_client_packet_t; - ') - - allow $1 squid_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_squid_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send squid_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_squid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_squid_client_packets'($*)) dnl - - gen_require(` - type squid_client_packet_t; - ') - - dontaudit $1 squid_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_squid_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive squid_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_squid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_squid_client_packets'($*)) dnl - - gen_require(` - type squid_client_packet_t; - ') - - allow $1 squid_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_squid_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive squid_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_squid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_squid_client_packets'($*)) dnl - - gen_require(` - type squid_client_packet_t; - ') - - dontaudit $1 squid_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_squid_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive squid_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_squid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_squid_client_packets'($*)) dnl - - corenet_send_squid_client_packets($1) - corenet_receive_squid_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_squid_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive squid_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_squid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_squid_client_packets'($*)) dnl - - corenet_dontaudit_send_squid_client_packets($1) - corenet_dontaudit_receive_squid_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_squid_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to squid_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_squid_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_squid_client_packets'($*)) dnl - - gen_require(` - type squid_client_packet_t; - ') - - allow $1 squid_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_squid_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send squid_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_squid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_squid_server_packets'($*)) dnl - - gen_require(` - type squid_server_packet_t; - ') - - allow $1 squid_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_squid_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send squid_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_squid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_squid_server_packets'($*)) dnl - - gen_require(` - type squid_server_packet_t; - ') - - dontaudit $1 squid_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_squid_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive squid_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_squid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_squid_server_packets'($*)) dnl - - gen_require(` - type squid_server_packet_t; - ') - - allow $1 squid_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_squid_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive squid_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_squid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_squid_server_packets'($*)) dnl - - gen_require(` - type squid_server_packet_t; - ') - - dontaudit $1 squid_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_squid_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive squid_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_squid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_squid_server_packets'($*)) dnl - - corenet_send_squid_server_packets($1) - corenet_receive_squid_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_squid_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive squid_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_squid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_squid_server_packets'($*)) dnl - - corenet_dontaudit_send_squid_server_packets($1) - corenet_dontaudit_receive_squid_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_squid_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to squid_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_squid_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_squid_server_packets'($*)) dnl - - gen_require(` - type squid_server_packet_t; - ') - - allow $1 squid_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_squid_server_packets'($*)) dnl - ') - - - # snmp and htcp - - -######################################## -## -## Send and receive TCP traffic on the ssdp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ssdp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ssdp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ssdp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ssdp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ssdp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ssdp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ssdp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ssdp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ssdp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ssdp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ssdp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ssdp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ssdp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ssdp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ssdp_port'($*)) dnl - - gen_require(` - type ssdp_port_t; - ') - - allow $1 ssdp_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ssdp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ssdp_port'($*)) dnl - - gen_require(` - type ssdp_port_t; - ') - - allow $1 ssdp_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ssdp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ssdp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ssdp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ssdp_port'($*)) dnl - - gen_require(` - type ssdp_port_t; - ') - - allow $1 ssdp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ssdp_port'($*)) dnl - ') - - - -######################################## -## -## Send ssdp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ssdp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ssdp_client_packets'($*)) dnl - - gen_require(` - type ssdp_client_packet_t; - ') - - allow $1 ssdp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ssdp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ssdp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ssdp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssdp_client_packets'($*)) dnl - - gen_require(` - type ssdp_client_packet_t; - ') - - dontaudit $1 ssdp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssdp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ssdp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ssdp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ssdp_client_packets'($*)) dnl - - gen_require(` - type ssdp_client_packet_t; - ') - - allow $1 ssdp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ssdp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ssdp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ssdp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssdp_client_packets'($*)) dnl - - gen_require(` - type ssdp_client_packet_t; - ') - - dontaudit $1 ssdp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssdp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ssdp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ssdp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssdp_client_packets'($*)) dnl - - corenet_send_ssdp_client_packets($1) - corenet_receive_ssdp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssdp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ssdp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ssdp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssdp_client_packets'($*)) dnl - - corenet_dontaudit_send_ssdp_client_packets($1) - corenet_dontaudit_receive_ssdp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssdp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ssdp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ssdp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssdp_client_packets'($*)) dnl - - gen_require(` - type ssdp_client_packet_t; - ') - - allow $1 ssdp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssdp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ssdp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ssdp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ssdp_server_packets'($*)) dnl - - gen_require(` - type ssdp_server_packet_t; - ') - - allow $1 ssdp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ssdp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ssdp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ssdp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssdp_server_packets'($*)) dnl - - gen_require(` - type ssdp_server_packet_t; - ') - - dontaudit $1 ssdp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssdp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ssdp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ssdp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ssdp_server_packets'($*)) dnl - - gen_require(` - type ssdp_server_packet_t; - ') - - allow $1 ssdp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ssdp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ssdp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ssdp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssdp_server_packets'($*)) dnl - - gen_require(` - type ssdp_server_packet_t; - ') - - dontaudit $1 ssdp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssdp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ssdp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ssdp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssdp_server_packets'($*)) dnl - - corenet_send_ssdp_server_packets($1) - corenet_receive_ssdp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssdp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ssdp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ssdp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssdp_server_packets'($*)) dnl - - corenet_dontaudit_send_ssdp_server_packets($1) - corenet_dontaudit_receive_ssdp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssdp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ssdp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ssdp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssdp_server_packets'($*)) dnl - - gen_require(` - type ssdp_server_packet_t; - ') - - allow $1 ssdp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssdp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ssh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ssh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ssh_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ssh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ssh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ssh_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ssh port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ssh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ssh_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ssh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ssh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ssh_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ssh port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ssh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ssh_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ssh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ssh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ssh_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ssh port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ssh_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ssh_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ssh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ssh_port'($*)) dnl - - gen_require(` - type ssh_port_t; - ') - - allow $1 ssh_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ssh_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ssh port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ssh_port'($*)) dnl - - gen_require(` - type ssh_port_t; - ') - - allow $1 ssh_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ssh_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ssh port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ssh_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ssh_port'($*)) dnl - - gen_require(` - type ssh_port_t; - ') - - allow $1 ssh_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ssh_port'($*)) dnl - ') - - - -######################################## -## -## Send ssh_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ssh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ssh_client_packets'($*)) dnl - - gen_require(` - type ssh_client_packet_t; - ') - - allow $1 ssh_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ssh_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ssh_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ssh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssh_client_packets'($*)) dnl - - gen_require(` - type ssh_client_packet_t; - ') - - dontaudit $1 ssh_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssh_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ssh_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ssh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ssh_client_packets'($*)) dnl - - gen_require(` - type ssh_client_packet_t; - ') - - allow $1 ssh_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ssh_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ssh_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ssh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssh_client_packets'($*)) dnl - - gen_require(` - type ssh_client_packet_t; - ') - - dontaudit $1 ssh_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssh_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ssh_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ssh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssh_client_packets'($*)) dnl - - corenet_send_ssh_client_packets($1) - corenet_receive_ssh_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssh_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ssh_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ssh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssh_client_packets'($*)) dnl - - corenet_dontaudit_send_ssh_client_packets($1) - corenet_dontaudit_receive_ssh_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssh_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ssh_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ssh_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssh_client_packets'($*)) dnl - - gen_require(` - type ssh_client_packet_t; - ') - - allow $1 ssh_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssh_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ssh_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ssh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ssh_server_packets'($*)) dnl - - gen_require(` - type ssh_server_packet_t; - ') - - allow $1 ssh_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ssh_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ssh_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ssh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssh_server_packets'($*)) dnl - - gen_require(` - type ssh_server_packet_t; - ') - - dontaudit $1 ssh_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssh_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ssh_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ssh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ssh_server_packets'($*)) dnl - - gen_require(` - type ssh_server_packet_t; - ') - - allow $1 ssh_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ssh_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ssh_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ssh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssh_server_packets'($*)) dnl - - gen_require(` - type ssh_server_packet_t; - ') - - dontaudit $1 ssh_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssh_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ssh_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ssh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssh_server_packets'($*)) dnl - - corenet_send_ssh_server_packets($1) - corenet_receive_ssh_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssh_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ssh_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ssh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssh_server_packets'($*)) dnl - - corenet_dontaudit_send_ssh_server_packets($1) - corenet_dontaudit_receive_ssh_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssh_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ssh_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ssh_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssh_server_packets'($*)) dnl - - gen_require(` - type ssh_server_packet_t; - ') - - allow $1 ssh_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssh_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the stunnel port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_stunnel_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the stunnel port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_stunnel_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the stunnel port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_stunnel_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the stunnel port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_stunnel_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the stunnel port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_stunnel_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the stunnel port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_stunnel_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the stunnel port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_stunnel_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the stunnel port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_stunnel_port'($*)) dnl - - gen_require(` - type stunnel_port_t; - ') - - allow $1 stunnel_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the stunnel port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_stunnel_port'($*)) dnl - - gen_require(` - type stunnel_port_t; - ') - - allow $1 stunnel_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_stunnel_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the stunnel port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_stunnel_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_stunnel_port'($*)) dnl - - gen_require(` - type stunnel_port_t; - ') - - allow $1 stunnel_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_stunnel_port'($*)) dnl - ') - - - -######################################## -## -## Send stunnel_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_stunnel_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_stunnel_client_packets'($*)) dnl - - gen_require(` - type stunnel_client_packet_t; - ') - - allow $1 stunnel_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_stunnel_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send stunnel_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_stunnel_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_stunnel_client_packets'($*)) dnl - - gen_require(` - type stunnel_client_packet_t; - ') - - dontaudit $1 stunnel_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_stunnel_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive stunnel_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_stunnel_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_stunnel_client_packets'($*)) dnl - - gen_require(` - type stunnel_client_packet_t; - ') - - allow $1 stunnel_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_stunnel_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive stunnel_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_stunnel_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_stunnel_client_packets'($*)) dnl - - gen_require(` - type stunnel_client_packet_t; - ') - - dontaudit $1 stunnel_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_stunnel_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive stunnel_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_stunnel_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_stunnel_client_packets'($*)) dnl - - corenet_send_stunnel_client_packets($1) - corenet_receive_stunnel_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_stunnel_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive stunnel_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_stunnel_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_stunnel_client_packets'($*)) dnl - - corenet_dontaudit_send_stunnel_client_packets($1) - corenet_dontaudit_receive_stunnel_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_stunnel_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to stunnel_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_stunnel_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_stunnel_client_packets'($*)) dnl - - gen_require(` - type stunnel_client_packet_t; - ') - - allow $1 stunnel_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_stunnel_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send stunnel_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_stunnel_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_stunnel_server_packets'($*)) dnl - - gen_require(` - type stunnel_server_packet_t; - ') - - allow $1 stunnel_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_stunnel_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send stunnel_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_stunnel_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_stunnel_server_packets'($*)) dnl - - gen_require(` - type stunnel_server_packet_t; - ') - - dontaudit $1 stunnel_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_stunnel_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive stunnel_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_stunnel_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_stunnel_server_packets'($*)) dnl - - gen_require(` - type stunnel_server_packet_t; - ') - - allow $1 stunnel_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_stunnel_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive stunnel_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_stunnel_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_stunnel_server_packets'($*)) dnl - - gen_require(` - type stunnel_server_packet_t; - ') - - dontaudit $1 stunnel_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_stunnel_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive stunnel_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_stunnel_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_stunnel_server_packets'($*)) dnl - - corenet_send_stunnel_server_packets($1) - corenet_receive_stunnel_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_stunnel_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive stunnel_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_stunnel_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_stunnel_server_packets'($*)) dnl - - corenet_dontaudit_send_stunnel_server_packets($1) - corenet_dontaudit_receive_stunnel_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_stunnel_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to stunnel_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_stunnel_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_stunnel_server_packets'($*)) dnl - - gen_require(` - type stunnel_server_packet_t; - ') - - allow $1 stunnel_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_stunnel_server_packets'($*)) dnl - ') - - - # no defined portcon - - -######################################## -## -## Send and receive TCP traffic on the svn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_svn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_svn_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the svn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_svn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_svn_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the svn port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_svn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_svn_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the svn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_svn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_svn_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the svn port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_svn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_svn_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the svn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_svn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_svn_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the svn port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_svn_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_svn_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the svn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_svn_port'($*)) dnl - - gen_require(` - type svn_port_t; - ') - - allow $1 svn_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_svn_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the svn port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_svn_port'($*)) dnl - - gen_require(` - type svn_port_t; - ') - - allow $1 svn_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_svn_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the svn port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_svn_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_svn_port'($*)) dnl - - gen_require(` - type svn_port_t; - ') - - allow $1 svn_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_svn_port'($*)) dnl - ') - - - -######################################## -## -## Send svn_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_svn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_svn_client_packets'($*)) dnl - - gen_require(` - type svn_client_packet_t; - ') - - allow $1 svn_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_svn_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send svn_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_svn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svn_client_packets'($*)) dnl - - gen_require(` - type svn_client_packet_t; - ') - - dontaudit $1 svn_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svn_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive svn_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_svn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_svn_client_packets'($*)) dnl - - gen_require(` - type svn_client_packet_t; - ') - - allow $1 svn_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_svn_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive svn_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_svn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svn_client_packets'($*)) dnl - - gen_require(` - type svn_client_packet_t; - ') - - dontaudit $1 svn_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svn_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive svn_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_svn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svn_client_packets'($*)) dnl - - corenet_send_svn_client_packets($1) - corenet_receive_svn_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svn_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive svn_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_svn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svn_client_packets'($*)) dnl - - corenet_dontaudit_send_svn_client_packets($1) - corenet_dontaudit_receive_svn_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svn_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to svn_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_svn_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svn_client_packets'($*)) dnl - - gen_require(` - type svn_client_packet_t; - ') - - allow $1 svn_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_svn_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send svn_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_svn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_svn_server_packets'($*)) dnl - - gen_require(` - type svn_server_packet_t; - ') - - allow $1 svn_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_svn_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send svn_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_svn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svn_server_packets'($*)) dnl - - gen_require(` - type svn_server_packet_t; - ') - - dontaudit $1 svn_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svn_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive svn_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_svn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_svn_server_packets'($*)) dnl - - gen_require(` - type svn_server_packet_t; - ') - - allow $1 svn_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_svn_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive svn_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_svn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svn_server_packets'($*)) dnl - - gen_require(` - type svn_server_packet_t; - ') - - dontaudit $1 svn_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svn_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive svn_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_svn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svn_server_packets'($*)) dnl - - corenet_send_svn_server_packets($1) - corenet_receive_svn_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svn_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive svn_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_svn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svn_server_packets'($*)) dnl - - corenet_dontaudit_send_svn_server_packets($1) - corenet_dontaudit_receive_svn_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svn_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to svn_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_svn_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svn_server_packets'($*)) dnl - - gen_require(` - type svn_server_packet_t; - ') - - allow $1 svn_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_svn_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the svrloc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_svrloc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the svrloc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_svrloc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the svrloc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_svrloc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the svrloc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_svrloc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the svrloc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_svrloc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the svrloc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_svrloc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the svrloc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_svrloc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the svrloc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_svrloc_port'($*)) dnl - - gen_require(` - type svrloc_port_t; - ') - - allow $1 svrloc_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the svrloc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_svrloc_port'($*)) dnl - - gen_require(` - type svrloc_port_t; - ') - - allow $1 svrloc_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_svrloc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the svrloc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_svrloc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_svrloc_port'($*)) dnl - - gen_require(` - type svrloc_port_t; - ') - - allow $1 svrloc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_svrloc_port'($*)) dnl - ') - - - -######################################## -## -## Send svrloc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_svrloc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_svrloc_client_packets'($*)) dnl - - gen_require(` - type svrloc_client_packet_t; - ') - - allow $1 svrloc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_svrloc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send svrloc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_svrloc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svrloc_client_packets'($*)) dnl - - gen_require(` - type svrloc_client_packet_t; - ') - - dontaudit $1 svrloc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svrloc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive svrloc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_svrloc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_svrloc_client_packets'($*)) dnl - - gen_require(` - type svrloc_client_packet_t; - ') - - allow $1 svrloc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_svrloc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive svrloc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_svrloc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svrloc_client_packets'($*)) dnl - - gen_require(` - type svrloc_client_packet_t; - ') - - dontaudit $1 svrloc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svrloc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive svrloc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_svrloc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svrloc_client_packets'($*)) dnl - - corenet_send_svrloc_client_packets($1) - corenet_receive_svrloc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svrloc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive svrloc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_svrloc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svrloc_client_packets'($*)) dnl - - corenet_dontaudit_send_svrloc_client_packets($1) - corenet_dontaudit_receive_svrloc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svrloc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to svrloc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_svrloc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svrloc_client_packets'($*)) dnl - - gen_require(` - type svrloc_client_packet_t; - ') - - allow $1 svrloc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_svrloc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send svrloc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_svrloc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_svrloc_server_packets'($*)) dnl - - gen_require(` - type svrloc_server_packet_t; - ') - - allow $1 svrloc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_svrloc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send svrloc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_svrloc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svrloc_server_packets'($*)) dnl - - gen_require(` - type svrloc_server_packet_t; - ') - - dontaudit $1 svrloc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svrloc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive svrloc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_svrloc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_svrloc_server_packets'($*)) dnl - - gen_require(` - type svrloc_server_packet_t; - ') - - allow $1 svrloc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_svrloc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive svrloc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_svrloc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svrloc_server_packets'($*)) dnl - - gen_require(` - type svrloc_server_packet_t; - ') - - dontaudit $1 svrloc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svrloc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive svrloc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_svrloc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svrloc_server_packets'($*)) dnl - - corenet_send_svrloc_server_packets($1) - corenet_receive_svrloc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svrloc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive svrloc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_svrloc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svrloc_server_packets'($*)) dnl - - corenet_dontaudit_send_svrloc_server_packets($1) - corenet_dontaudit_receive_svrloc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svrloc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to svrloc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_svrloc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svrloc_server_packets'($*)) dnl - - gen_require(` - type svrloc_server_packet_t; - ') - - allow $1 svrloc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_svrloc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the swat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_swat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_swat_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the swat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_swat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_swat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the swat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_swat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_swat_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the swat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_swat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_swat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the swat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_swat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_swat_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the swat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_swat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_swat_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the swat port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_swat_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_swat_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the swat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_swat_port'($*)) dnl - - gen_require(` - type swat_port_t; - ') - - allow $1 swat_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_swat_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the swat port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_swat_port'($*)) dnl - - gen_require(` - type swat_port_t; - ') - - allow $1 swat_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_swat_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the swat port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_swat_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_swat_port'($*)) dnl - - gen_require(` - type swat_port_t; - ') - - allow $1 swat_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_swat_port'($*)) dnl - ') - - - -######################################## -## -## Send swat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_swat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_swat_client_packets'($*)) dnl - - gen_require(` - type swat_client_packet_t; - ') - - allow $1 swat_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_swat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send swat_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_swat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swat_client_packets'($*)) dnl - - gen_require(` - type swat_client_packet_t; - ') - - dontaudit $1 swat_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swat_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive swat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_swat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_swat_client_packets'($*)) dnl - - gen_require(` - type swat_client_packet_t; - ') - - allow $1 swat_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_swat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive swat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_swat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swat_client_packets'($*)) dnl - - gen_require(` - type swat_client_packet_t; - ') - - dontaudit $1 swat_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swat_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive swat_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_swat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swat_client_packets'($*)) dnl - - corenet_send_swat_client_packets($1) - corenet_receive_swat_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swat_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive swat_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_swat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swat_client_packets'($*)) dnl - - corenet_dontaudit_send_swat_client_packets($1) - corenet_dontaudit_receive_swat_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swat_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to swat_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_swat_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swat_client_packets'($*)) dnl - - gen_require(` - type swat_client_packet_t; - ') - - allow $1 swat_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_swat_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send swat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_swat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_swat_server_packets'($*)) dnl - - gen_require(` - type swat_server_packet_t; - ') - - allow $1 swat_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_swat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send swat_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_swat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swat_server_packets'($*)) dnl - - gen_require(` - type swat_server_packet_t; - ') - - dontaudit $1 swat_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swat_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive swat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_swat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_swat_server_packets'($*)) dnl - - gen_require(` - type swat_server_packet_t; - ') - - allow $1 swat_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_swat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive swat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_swat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swat_server_packets'($*)) dnl - - gen_require(` - type swat_server_packet_t; - ') - - dontaudit $1 swat_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swat_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive swat_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_swat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swat_server_packets'($*)) dnl - - corenet_send_swat_server_packets($1) - corenet_receive_swat_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swat_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive swat_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_swat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swat_server_packets'($*)) dnl - - corenet_dontaudit_send_swat_server_packets($1) - corenet_dontaudit_receive_swat_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swat_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to swat_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_swat_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swat_server_packets'($*)) dnl - - gen_require(` - type swat_server_packet_t; - ') - - allow $1 swat_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_swat_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the syncthing port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syncthing_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the syncthing port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syncthing_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the syncthing port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syncthing_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the syncthing port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syncthing_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the syncthing port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syncthing_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the syncthing port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syncthing_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the syncthing port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syncthing_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the syncthing port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syncthing_port'($*)) dnl - - gen_require(` - type syncthing_port_t; - ') - - allow $1 syncthing_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the syncthing port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syncthing_port'($*)) dnl - - gen_require(` - type syncthing_port_t; - ') - - allow $1 syncthing_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syncthing_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the syncthing port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_syncthing_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syncthing_port'($*)) dnl - - gen_require(` - type syncthing_port_t; - ') - - allow $1 syncthing_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syncthing_port'($*)) dnl - ') - - - -######################################## -## -## Send syncthing_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syncthing_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syncthing_client_packets'($*)) dnl - - gen_require(` - type syncthing_client_packet_t; - ') - - allow $1 syncthing_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syncthing_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syncthing_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syncthing_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syncthing_client_packets'($*)) dnl - - gen_require(` - type syncthing_client_packet_t; - ') - - dontaudit $1 syncthing_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syncthing_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive syncthing_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syncthing_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syncthing_client_packets'($*)) dnl - - gen_require(` - type syncthing_client_packet_t; - ') - - allow $1 syncthing_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syncthing_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syncthing_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syncthing_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syncthing_client_packets'($*)) dnl - - gen_require(` - type syncthing_client_packet_t; - ') - - dontaudit $1 syncthing_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syncthing_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syncthing_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syncthing_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syncthing_client_packets'($*)) dnl - - corenet_send_syncthing_client_packets($1) - corenet_receive_syncthing_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syncthing_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syncthing_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syncthing_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syncthing_client_packets'($*)) dnl - - corenet_dontaudit_send_syncthing_client_packets($1) - corenet_dontaudit_receive_syncthing_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syncthing_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syncthing_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syncthing_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syncthing_client_packets'($*)) dnl - - gen_require(` - type syncthing_client_packet_t; - ') - - allow $1 syncthing_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syncthing_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send syncthing_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syncthing_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syncthing_server_packets'($*)) dnl - - gen_require(` - type syncthing_server_packet_t; - ') - - allow $1 syncthing_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syncthing_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syncthing_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syncthing_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syncthing_server_packets'($*)) dnl - - gen_require(` - type syncthing_server_packet_t; - ') - - dontaudit $1 syncthing_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syncthing_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive syncthing_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syncthing_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syncthing_server_packets'($*)) dnl - - gen_require(` - type syncthing_server_packet_t; - ') - - allow $1 syncthing_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syncthing_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syncthing_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syncthing_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syncthing_server_packets'($*)) dnl - - gen_require(` - type syncthing_server_packet_t; - ') - - dontaudit $1 syncthing_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syncthing_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syncthing_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syncthing_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syncthing_server_packets'($*)) dnl - - corenet_send_syncthing_server_packets($1) - corenet_receive_syncthing_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syncthing_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syncthing_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syncthing_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syncthing_server_packets'($*)) dnl - - corenet_dontaudit_send_syncthing_server_packets($1) - corenet_dontaudit_receive_syncthing_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syncthing_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syncthing_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syncthing_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syncthing_server_packets'($*)) dnl - - gen_require(` - type syncthing_server_packet_t; - ') - - allow $1 syncthing_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syncthing_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the syncthing_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syncthing_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the syncthing_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syncthing_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the syncthing_admin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syncthing_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the syncthing_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syncthing_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the syncthing_admin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syncthing_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the syncthing_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syncthing_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the syncthing_admin port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syncthing_admin_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the syncthing_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syncthing_admin_port'($*)) dnl - - gen_require(` - type syncthing_admin_port_t; - ') - - allow $1 syncthing_admin_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the syncthing_admin port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syncthing_admin_port'($*)) dnl - - gen_require(` - type syncthing_admin_port_t; - ') - - allow $1 syncthing_admin_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syncthing_admin_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the syncthing_admin port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_syncthing_admin_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syncthing_admin_port'($*)) dnl - - gen_require(` - type syncthing_admin_port_t; - ') - - allow $1 syncthing_admin_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syncthing_admin_port'($*)) dnl - ') - - - -######################################## -## -## Send syncthing_admin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syncthing_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syncthing_admin_client_packets'($*)) dnl - - gen_require(` - type syncthing_admin_client_packet_t; - ') - - allow $1 syncthing_admin_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syncthing_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syncthing_admin_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syncthing_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syncthing_admin_client_packets'($*)) dnl - - gen_require(` - type syncthing_admin_client_packet_t; - ') - - dontaudit $1 syncthing_admin_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syncthing_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive syncthing_admin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syncthing_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syncthing_admin_client_packets'($*)) dnl - - gen_require(` - type syncthing_admin_client_packet_t; - ') - - allow $1 syncthing_admin_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syncthing_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syncthing_admin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syncthing_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syncthing_admin_client_packets'($*)) dnl - - gen_require(` - type syncthing_admin_client_packet_t; - ') - - dontaudit $1 syncthing_admin_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syncthing_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syncthing_admin_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syncthing_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syncthing_admin_client_packets'($*)) dnl - - corenet_send_syncthing_admin_client_packets($1) - corenet_receive_syncthing_admin_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syncthing_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syncthing_admin_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syncthing_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syncthing_admin_client_packets'($*)) dnl - - corenet_dontaudit_send_syncthing_admin_client_packets($1) - corenet_dontaudit_receive_syncthing_admin_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syncthing_admin_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syncthing_admin_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syncthing_admin_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syncthing_admin_client_packets'($*)) dnl - - gen_require(` - type syncthing_admin_client_packet_t; - ') - - allow $1 syncthing_admin_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syncthing_admin_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send syncthing_admin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syncthing_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syncthing_admin_server_packets'($*)) dnl - - gen_require(` - type syncthing_admin_server_packet_t; - ') - - allow $1 syncthing_admin_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syncthing_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syncthing_admin_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syncthing_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syncthing_admin_server_packets'($*)) dnl - - gen_require(` - type syncthing_admin_server_packet_t; - ') - - dontaudit $1 syncthing_admin_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syncthing_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive syncthing_admin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syncthing_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syncthing_admin_server_packets'($*)) dnl - - gen_require(` - type syncthing_admin_server_packet_t; - ') - - allow $1 syncthing_admin_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syncthing_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syncthing_admin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syncthing_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syncthing_admin_server_packets'($*)) dnl - - gen_require(` - type syncthing_admin_server_packet_t; - ') - - dontaudit $1 syncthing_admin_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syncthing_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syncthing_admin_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syncthing_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syncthing_admin_server_packets'($*)) dnl - - corenet_send_syncthing_admin_server_packets($1) - corenet_receive_syncthing_admin_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syncthing_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syncthing_admin_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syncthing_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syncthing_admin_server_packets'($*)) dnl - - corenet_dontaudit_send_syncthing_admin_server_packets($1) - corenet_dontaudit_receive_syncthing_admin_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syncthing_admin_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syncthing_admin_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syncthing_admin_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syncthing_admin_server_packets'($*)) dnl - - gen_require(` - type syncthing_admin_server_packet_t; - ') - - allow $1 syncthing_admin_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syncthing_admin_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the syncthing_discovery port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syncthing_discovery_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the syncthing_discovery port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syncthing_discovery_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the syncthing_discovery port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syncthing_discovery_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the syncthing_discovery port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syncthing_discovery_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the syncthing_discovery port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syncthing_discovery_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the syncthing_discovery port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syncthing_discovery_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the syncthing_discovery port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syncthing_discovery_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the syncthing_discovery port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syncthing_discovery_port'($*)) dnl - - gen_require(` - type syncthing_discovery_port_t; - ') - - allow $1 syncthing_discovery_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the syncthing_discovery port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syncthing_discovery_port'($*)) dnl - - gen_require(` - type syncthing_discovery_port_t; - ') - - allow $1 syncthing_discovery_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syncthing_discovery_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the syncthing_discovery port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_syncthing_discovery_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syncthing_discovery_port'($*)) dnl - - gen_require(` - type syncthing_discovery_port_t; - ') - - allow $1 syncthing_discovery_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syncthing_discovery_port'($*)) dnl - ') - - - -######################################## -## -## Send syncthing_discovery_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syncthing_discovery_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syncthing_discovery_client_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_client_packet_t; - ') - - allow $1 syncthing_discovery_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syncthing_discovery_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syncthing_discovery_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syncthing_discovery_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syncthing_discovery_client_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_client_packet_t; - ') - - dontaudit $1 syncthing_discovery_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syncthing_discovery_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive syncthing_discovery_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syncthing_discovery_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syncthing_discovery_client_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_client_packet_t; - ') - - allow $1 syncthing_discovery_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syncthing_discovery_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syncthing_discovery_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syncthing_discovery_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syncthing_discovery_client_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_client_packet_t; - ') - - dontaudit $1 syncthing_discovery_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syncthing_discovery_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syncthing_discovery_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syncthing_discovery_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syncthing_discovery_client_packets'($*)) dnl - - corenet_send_syncthing_discovery_client_packets($1) - corenet_receive_syncthing_discovery_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syncthing_discovery_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syncthing_discovery_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syncthing_discovery_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syncthing_discovery_client_packets'($*)) dnl - - corenet_dontaudit_send_syncthing_discovery_client_packets($1) - corenet_dontaudit_receive_syncthing_discovery_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syncthing_discovery_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syncthing_discovery_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syncthing_discovery_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syncthing_discovery_client_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_client_packet_t; - ') - - allow $1 syncthing_discovery_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syncthing_discovery_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send syncthing_discovery_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syncthing_discovery_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syncthing_discovery_server_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_server_packet_t; - ') - - allow $1 syncthing_discovery_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syncthing_discovery_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syncthing_discovery_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syncthing_discovery_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syncthing_discovery_server_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_server_packet_t; - ') - - dontaudit $1 syncthing_discovery_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syncthing_discovery_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive syncthing_discovery_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syncthing_discovery_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syncthing_discovery_server_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_server_packet_t; - ') - - allow $1 syncthing_discovery_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syncthing_discovery_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syncthing_discovery_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syncthing_discovery_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syncthing_discovery_server_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_server_packet_t; - ') - - dontaudit $1 syncthing_discovery_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syncthing_discovery_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syncthing_discovery_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syncthing_discovery_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syncthing_discovery_server_packets'($*)) dnl - - corenet_send_syncthing_discovery_server_packets($1) - corenet_receive_syncthing_discovery_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syncthing_discovery_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syncthing_discovery_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syncthing_discovery_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syncthing_discovery_server_packets'($*)) dnl - - corenet_dontaudit_send_syncthing_discovery_server_packets($1) - corenet_dontaudit_receive_syncthing_discovery_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syncthing_discovery_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syncthing_discovery_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syncthing_discovery_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syncthing_discovery_server_packets'($*)) dnl - - gen_require(` - type syncthing_discovery_server_packet_t; - ') - - allow $1 syncthing_discovery_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syncthing_discovery_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the sype_transport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sype_transport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the sype_transport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sype_transport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the sype_transport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sype_transport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the sype_transport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sype_transport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the sype_transport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sype_transport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the sype_transport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sype_transport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the sype_transport port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sype_transport_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the sype_transport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sype_transport_port'($*)) dnl - - gen_require(` - type sype_transport_port_t; - ') - - allow $1 sype_transport_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the sype_transport port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sype_transport_port'($*)) dnl - - gen_require(` - type sype_transport_port_t; - ') - - allow $1 sype_transport_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sype_transport_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the sype_transport port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_sype_transport_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sype_transport_port'($*)) dnl - - gen_require(` - type sype_transport_port_t; - ') - - allow $1 sype_transport_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sype_transport_port'($*)) dnl - ') - - - -######################################## -## -## Send sype_transport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sype_transport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sype_transport_client_packets'($*)) dnl - - gen_require(` - type sype_transport_client_packet_t; - ') - - allow $1 sype_transport_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sype_transport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sype_transport_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sype_transport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sype_transport_client_packets'($*)) dnl - - gen_require(` - type sype_transport_client_packet_t; - ') - - dontaudit $1 sype_transport_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sype_transport_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive sype_transport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sype_transport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sype_transport_client_packets'($*)) dnl - - gen_require(` - type sype_transport_client_packet_t; - ') - - allow $1 sype_transport_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sype_transport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sype_transport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sype_transport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sype_transport_client_packets'($*)) dnl - - gen_require(` - type sype_transport_client_packet_t; - ') - - dontaudit $1 sype_transport_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sype_transport_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sype_transport_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sype_transport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sype_transport_client_packets'($*)) dnl - - corenet_send_sype_transport_client_packets($1) - corenet_receive_sype_transport_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sype_transport_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sype_transport_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sype_transport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sype_transport_client_packets'($*)) dnl - - corenet_dontaudit_send_sype_transport_client_packets($1) - corenet_dontaudit_receive_sype_transport_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sype_transport_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sype_transport_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sype_transport_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sype_transport_client_packets'($*)) dnl - - gen_require(` - type sype_transport_client_packet_t; - ') - - allow $1 sype_transport_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sype_transport_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send sype_transport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_sype_transport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_sype_transport_server_packets'($*)) dnl - - gen_require(` - type sype_transport_server_packet_t; - ') - - allow $1 sype_transport_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_sype_transport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send sype_transport_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_sype_transport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sype_transport_server_packets'($*)) dnl - - gen_require(` - type sype_transport_server_packet_t; - ') - - dontaudit $1 sype_transport_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sype_transport_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive sype_transport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_sype_transport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_sype_transport_server_packets'($*)) dnl - - gen_require(` - type sype_transport_server_packet_t; - ') - - allow $1 sype_transport_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_sype_transport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive sype_transport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_sype_transport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sype_transport_server_packets'($*)) dnl - - gen_require(` - type sype_transport_server_packet_t; - ') - - dontaudit $1 sype_transport_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sype_transport_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive sype_transport_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_sype_transport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sype_transport_server_packets'($*)) dnl - - corenet_send_sype_transport_server_packets($1) - corenet_receive_sype_transport_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sype_transport_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive sype_transport_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_sype_transport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sype_transport_server_packets'($*)) dnl - - corenet_dontaudit_send_sype_transport_server_packets($1) - corenet_dontaudit_receive_sype_transport_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sype_transport_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to sype_transport_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_sype_transport_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sype_transport_server_packets'($*)) dnl - - gen_require(` - type sype_transport_server_packet_t; - ') - - allow $1 sype_transport_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_sype_transport_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the syslogd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syslogd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the syslogd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syslogd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the syslogd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syslogd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the syslogd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syslogd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the syslogd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syslogd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the syslogd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syslogd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the syslogd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syslogd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the syslogd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syslogd_port'($*)) dnl - - gen_require(` - type syslogd_port_t; - ') - - allow $1 syslogd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the syslogd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syslogd_port'($*)) dnl - - gen_require(` - type syslogd_port_t; - ') - - allow $1 syslogd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syslogd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the syslogd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_syslogd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syslogd_port'($*)) dnl - - gen_require(` - type syslogd_port_t; - ') - - allow $1 syslogd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syslogd_port'($*)) dnl - ') - - - -######################################## -## -## Send syslogd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syslogd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syslogd_client_packets'($*)) dnl - - gen_require(` - type syslogd_client_packet_t; - ') - - allow $1 syslogd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syslogd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syslogd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syslogd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslogd_client_packets'($*)) dnl - - gen_require(` - type syslogd_client_packet_t; - ') - - dontaudit $1 syslogd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslogd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive syslogd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syslogd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syslogd_client_packets'($*)) dnl - - gen_require(` - type syslogd_client_packet_t; - ') - - allow $1 syslogd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syslogd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syslogd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syslogd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslogd_client_packets'($*)) dnl - - gen_require(` - type syslogd_client_packet_t; - ') - - dontaudit $1 syslogd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslogd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syslogd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syslogd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslogd_client_packets'($*)) dnl - - corenet_send_syslogd_client_packets($1) - corenet_receive_syslogd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslogd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syslogd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syslogd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslogd_client_packets'($*)) dnl - - corenet_dontaudit_send_syslogd_client_packets($1) - corenet_dontaudit_receive_syslogd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslogd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syslogd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syslogd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslogd_client_packets'($*)) dnl - - gen_require(` - type syslogd_client_packet_t; - ') - - allow $1 syslogd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslogd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send syslogd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syslogd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syslogd_server_packets'($*)) dnl - - gen_require(` - type syslogd_server_packet_t; - ') - - allow $1 syslogd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syslogd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syslogd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syslogd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslogd_server_packets'($*)) dnl - - gen_require(` - type syslogd_server_packet_t; - ') - - dontaudit $1 syslogd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslogd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive syslogd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syslogd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syslogd_server_packets'($*)) dnl - - gen_require(` - type syslogd_server_packet_t; - ') - - allow $1 syslogd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syslogd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syslogd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syslogd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslogd_server_packets'($*)) dnl - - gen_require(` - type syslogd_server_packet_t; - ') - - dontaudit $1 syslogd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslogd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syslogd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syslogd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslogd_server_packets'($*)) dnl - - corenet_send_syslogd_server_packets($1) - corenet_receive_syslogd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslogd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syslogd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syslogd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslogd_server_packets'($*)) dnl - - corenet_dontaudit_send_syslogd_server_packets($1) - corenet_dontaudit_receive_syslogd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslogd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syslogd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syslogd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslogd_server_packets'($*)) dnl - - gen_require(` - type syslogd_server_packet_t; - ') - - allow $1 syslogd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslogd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the syslog_tls port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syslog_tls_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the syslog_tls port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syslog_tls_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the syslog_tls port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syslog_tls_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the syslog_tls port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syslog_tls_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the syslog_tls port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syslog_tls_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the syslog_tls port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syslog_tls_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the syslog_tls port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syslog_tls_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the syslog_tls port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syslog_tls_port'($*)) dnl - - gen_require(` - type syslog_tls_port_t; - ') - - allow $1 syslog_tls_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the syslog_tls port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syslog_tls_port'($*)) dnl - - gen_require(` - type syslog_tls_port_t; - ') - - allow $1 syslog_tls_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syslog_tls_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the syslog_tls port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_syslog_tls_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syslog_tls_port'($*)) dnl - - gen_require(` - type syslog_tls_port_t; - ') - - allow $1 syslog_tls_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syslog_tls_port'($*)) dnl - ') - - - -######################################## -## -## Send syslog_tls_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syslog_tls_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syslog_tls_client_packets'($*)) dnl - - gen_require(` - type syslog_tls_client_packet_t; - ') - - allow $1 syslog_tls_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syslog_tls_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syslog_tls_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syslog_tls_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslog_tls_client_packets'($*)) dnl - - gen_require(` - type syslog_tls_client_packet_t; - ') - - dontaudit $1 syslog_tls_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslog_tls_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive syslog_tls_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syslog_tls_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syslog_tls_client_packets'($*)) dnl - - gen_require(` - type syslog_tls_client_packet_t; - ') - - allow $1 syslog_tls_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syslog_tls_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syslog_tls_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syslog_tls_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslog_tls_client_packets'($*)) dnl - - gen_require(` - type syslog_tls_client_packet_t; - ') - - dontaudit $1 syslog_tls_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslog_tls_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syslog_tls_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syslog_tls_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslog_tls_client_packets'($*)) dnl - - corenet_send_syslog_tls_client_packets($1) - corenet_receive_syslog_tls_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslog_tls_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syslog_tls_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syslog_tls_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslog_tls_client_packets'($*)) dnl - - corenet_dontaudit_send_syslog_tls_client_packets($1) - corenet_dontaudit_receive_syslog_tls_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslog_tls_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syslog_tls_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syslog_tls_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslog_tls_client_packets'($*)) dnl - - gen_require(` - type syslog_tls_client_packet_t; - ') - - allow $1 syslog_tls_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslog_tls_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send syslog_tls_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_syslog_tls_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_syslog_tls_server_packets'($*)) dnl - - gen_require(` - type syslog_tls_server_packet_t; - ') - - allow $1 syslog_tls_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_syslog_tls_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send syslog_tls_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_syslog_tls_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslog_tls_server_packets'($*)) dnl - - gen_require(` - type syslog_tls_server_packet_t; - ') - - dontaudit $1 syslog_tls_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslog_tls_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive syslog_tls_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_syslog_tls_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_syslog_tls_server_packets'($*)) dnl - - gen_require(` - type syslog_tls_server_packet_t; - ') - - allow $1 syslog_tls_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_syslog_tls_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive syslog_tls_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_syslog_tls_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslog_tls_server_packets'($*)) dnl - - gen_require(` - type syslog_tls_server_packet_t; - ') - - dontaudit $1 syslog_tls_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslog_tls_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive syslog_tls_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_syslog_tls_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslog_tls_server_packets'($*)) dnl - - corenet_send_syslog_tls_server_packets($1) - corenet_receive_syslog_tls_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslog_tls_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive syslog_tls_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_syslog_tls_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslog_tls_server_packets'($*)) dnl - - corenet_dontaudit_send_syslog_tls_server_packets($1) - corenet_dontaudit_receive_syslog_tls_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslog_tls_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to syslog_tls_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_syslog_tls_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslog_tls_server_packets'($*)) dnl - - gen_require(` - type syslog_tls_server_packet_t; - ') - - allow $1 syslog_tls_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslog_tls_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the tcs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tcs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tcs_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the tcs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tcs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_tcs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the tcs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tcs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tcs_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the tcs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tcs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tcs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the tcs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tcs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tcs_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the tcs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tcs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tcs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the tcs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tcs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tcs_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the tcs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tcs_port'($*)) dnl - - gen_require(` - type tcs_port_t; - ') - - allow $1 tcs_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tcs_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the tcs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tcs_port'($*)) dnl - - gen_require(` - type tcs_port_t; - ') - - allow $1 tcs_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tcs_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the tcs port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_tcs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tcs_port'($*)) dnl - - gen_require(` - type tcs_port_t; - ') - - allow $1 tcs_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tcs_port'($*)) dnl - ') - - - -######################################## -## -## Send tcs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_tcs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_tcs_client_packets'($*)) dnl - - gen_require(` - type tcs_client_packet_t; - ') - - allow $1 tcs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_tcs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send tcs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_tcs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tcs_client_packets'($*)) dnl - - gen_require(` - type tcs_client_packet_t; - ') - - dontaudit $1 tcs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tcs_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive tcs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_tcs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_tcs_client_packets'($*)) dnl - - gen_require(` - type tcs_client_packet_t; - ') - - allow $1 tcs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_tcs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive tcs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_tcs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tcs_client_packets'($*)) dnl - - gen_require(` - type tcs_client_packet_t; - ') - - dontaudit $1 tcs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tcs_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive tcs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_tcs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tcs_client_packets'($*)) dnl - - corenet_send_tcs_client_packets($1) - corenet_receive_tcs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tcs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive tcs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_tcs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tcs_client_packets'($*)) dnl - - corenet_dontaudit_send_tcs_client_packets($1) - corenet_dontaudit_receive_tcs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tcs_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to tcs_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_tcs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tcs_client_packets'($*)) dnl - - gen_require(` - type tcs_client_packet_t; - ') - - allow $1 tcs_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_tcs_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send tcs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_tcs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_tcs_server_packets'($*)) dnl - - gen_require(` - type tcs_server_packet_t; - ') - - allow $1 tcs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_tcs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send tcs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_tcs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tcs_server_packets'($*)) dnl - - gen_require(` - type tcs_server_packet_t; - ') - - dontaudit $1 tcs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tcs_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive tcs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_tcs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_tcs_server_packets'($*)) dnl - - gen_require(` - type tcs_server_packet_t; - ') - - allow $1 tcs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_tcs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive tcs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_tcs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tcs_server_packets'($*)) dnl - - gen_require(` - type tcs_server_packet_t; - ') - - dontaudit $1 tcs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tcs_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive tcs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_tcs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tcs_server_packets'($*)) dnl - - corenet_send_tcs_server_packets($1) - corenet_receive_tcs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tcs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive tcs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_tcs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tcs_server_packets'($*)) dnl - - corenet_dontaudit_send_tcs_server_packets($1) - corenet_dontaudit_receive_tcs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tcs_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to tcs_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_tcs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tcs_server_packets'($*)) dnl - - gen_require(` - type tcs_server_packet_t; - ') - - allow $1 tcs_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_tcs_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the telnetd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_telnetd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the telnetd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_telnetd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the telnetd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_telnetd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the telnetd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_telnetd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the telnetd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_telnetd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the telnetd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_telnetd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the telnetd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_telnetd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the telnetd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_telnetd_port'($*)) dnl - - gen_require(` - type telnetd_port_t; - ') - - allow $1 telnetd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the telnetd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_telnetd_port'($*)) dnl - - gen_require(` - type telnetd_port_t; - ') - - allow $1 telnetd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_telnetd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the telnetd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_telnetd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_telnetd_port'($*)) dnl - - gen_require(` - type telnetd_port_t; - ') - - allow $1 telnetd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_telnetd_port'($*)) dnl - ') - - - -######################################## -## -## Send telnetd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_telnetd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_telnetd_client_packets'($*)) dnl - - gen_require(` - type telnetd_client_packet_t; - ') - - allow $1 telnetd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_telnetd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send telnetd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_telnetd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_telnetd_client_packets'($*)) dnl - - gen_require(` - type telnetd_client_packet_t; - ') - - dontaudit $1 telnetd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_telnetd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive telnetd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_telnetd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_telnetd_client_packets'($*)) dnl - - gen_require(` - type telnetd_client_packet_t; - ') - - allow $1 telnetd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_telnetd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive telnetd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_telnetd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_telnetd_client_packets'($*)) dnl - - gen_require(` - type telnetd_client_packet_t; - ') - - dontaudit $1 telnetd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_telnetd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive telnetd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_telnetd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_telnetd_client_packets'($*)) dnl - - corenet_send_telnetd_client_packets($1) - corenet_receive_telnetd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_telnetd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive telnetd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_telnetd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_telnetd_client_packets'($*)) dnl - - corenet_dontaudit_send_telnetd_client_packets($1) - corenet_dontaudit_receive_telnetd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_telnetd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to telnetd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_telnetd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_telnetd_client_packets'($*)) dnl - - gen_require(` - type telnetd_client_packet_t; - ') - - allow $1 telnetd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_telnetd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send telnetd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_telnetd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_telnetd_server_packets'($*)) dnl - - gen_require(` - type telnetd_server_packet_t; - ') - - allow $1 telnetd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_telnetd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send telnetd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_telnetd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_telnetd_server_packets'($*)) dnl - - gen_require(` - type telnetd_server_packet_t; - ') - - dontaudit $1 telnetd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_telnetd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive telnetd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_telnetd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_telnetd_server_packets'($*)) dnl - - gen_require(` - type telnetd_server_packet_t; - ') - - allow $1 telnetd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_telnetd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive telnetd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_telnetd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_telnetd_server_packets'($*)) dnl - - gen_require(` - type telnetd_server_packet_t; - ') - - dontaudit $1 telnetd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_telnetd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive telnetd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_telnetd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_telnetd_server_packets'($*)) dnl - - corenet_send_telnetd_server_packets($1) - corenet_receive_telnetd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_telnetd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive telnetd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_telnetd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_telnetd_server_packets'($*)) dnl - - corenet_dontaudit_send_telnetd_server_packets($1) - corenet_dontaudit_receive_telnetd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_telnetd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to telnetd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_telnetd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_telnetd_server_packets'($*)) dnl - - gen_require(` - type telnetd_server_packet_t; - ') - - allow $1 telnetd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_telnetd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the tftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tftp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the tftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_tftp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the tftp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tftp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the tftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tftp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the tftp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tftp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the tftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tftp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the tftp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tftp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tftp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the tftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tftp_port'($*)) dnl - - gen_require(` - type tftp_port_t; - ') - - allow $1 tftp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tftp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the tftp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tftp_port'($*)) dnl - - gen_require(` - type tftp_port_t; - ') - - allow $1 tftp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tftp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the tftp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_tftp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tftp_port'($*)) dnl - - gen_require(` - type tftp_port_t; - ') - - allow $1 tftp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tftp_port'($*)) dnl - ') - - - -######################################## -## -## Send tftp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_tftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_tftp_client_packets'($*)) dnl - - gen_require(` - type tftp_client_packet_t; - ') - - allow $1 tftp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_tftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send tftp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_tftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tftp_client_packets'($*)) dnl - - gen_require(` - type tftp_client_packet_t; - ') - - dontaudit $1 tftp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive tftp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_tftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_tftp_client_packets'($*)) dnl - - gen_require(` - type tftp_client_packet_t; - ') - - allow $1 tftp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_tftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive tftp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_tftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tftp_client_packets'($*)) dnl - - gen_require(` - type tftp_client_packet_t; - ') - - dontaudit $1 tftp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive tftp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_tftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tftp_client_packets'($*)) dnl - - corenet_send_tftp_client_packets($1) - corenet_receive_tftp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive tftp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_tftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tftp_client_packets'($*)) dnl - - corenet_dontaudit_send_tftp_client_packets($1) - corenet_dontaudit_receive_tftp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tftp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to tftp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_tftp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tftp_client_packets'($*)) dnl - - gen_require(` - type tftp_client_packet_t; - ') - - allow $1 tftp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_tftp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send tftp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_tftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_tftp_server_packets'($*)) dnl - - gen_require(` - type tftp_server_packet_t; - ') - - allow $1 tftp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_tftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send tftp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_tftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tftp_server_packets'($*)) dnl - - gen_require(` - type tftp_server_packet_t; - ') - - dontaudit $1 tftp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive tftp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_tftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_tftp_server_packets'($*)) dnl - - gen_require(` - type tftp_server_packet_t; - ') - - allow $1 tftp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_tftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive tftp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_tftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tftp_server_packets'($*)) dnl - - gen_require(` - type tftp_server_packet_t; - ') - - dontaudit $1 tftp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive tftp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_tftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tftp_server_packets'($*)) dnl - - corenet_send_tftp_server_packets($1) - corenet_receive_tftp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive tftp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_tftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tftp_server_packets'($*)) dnl - - corenet_dontaudit_send_tftp_server_packets($1) - corenet_dontaudit_receive_tftp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tftp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to tftp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_tftp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tftp_server_packets'($*)) dnl - - gen_require(` - type tftp_server_packet_t; - ') - - allow $1 tftp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_tftp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the tor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tor_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the tor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_tor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the tor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tor_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the tor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the tor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tor_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the tor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tor_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the tor port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tor_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tor_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the tor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tor_port'($*)) dnl - - gen_require(` - type tor_port_t; - ') - - allow $1 tor_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tor_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the tor port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tor_port'($*)) dnl - - gen_require(` - type tor_port_t; - ') - - allow $1 tor_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tor_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the tor port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_tor_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tor_port'($*)) dnl - - gen_require(` - type tor_port_t; - ') - - allow $1 tor_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tor_port'($*)) dnl - ') - - - -######################################## -## -## Send tor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_tor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_tor_client_packets'($*)) dnl - - gen_require(` - type tor_client_packet_t; - ') - - allow $1 tor_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_tor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send tor_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_tor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tor_client_packets'($*)) dnl - - gen_require(` - type tor_client_packet_t; - ') - - dontaudit $1 tor_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tor_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive tor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_tor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_tor_client_packets'($*)) dnl - - gen_require(` - type tor_client_packet_t; - ') - - allow $1 tor_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_tor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive tor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_tor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tor_client_packets'($*)) dnl - - gen_require(` - type tor_client_packet_t; - ') - - dontaudit $1 tor_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tor_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive tor_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_tor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tor_client_packets'($*)) dnl - - corenet_send_tor_client_packets($1) - corenet_receive_tor_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tor_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive tor_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_tor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tor_client_packets'($*)) dnl - - corenet_dontaudit_send_tor_client_packets($1) - corenet_dontaudit_receive_tor_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tor_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to tor_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_tor_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tor_client_packets'($*)) dnl - - gen_require(` - type tor_client_packet_t; - ') - - allow $1 tor_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_tor_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send tor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_tor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_tor_server_packets'($*)) dnl - - gen_require(` - type tor_server_packet_t; - ') - - allow $1 tor_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_tor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send tor_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_tor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tor_server_packets'($*)) dnl - - gen_require(` - type tor_server_packet_t; - ') - - dontaudit $1 tor_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tor_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive tor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_tor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_tor_server_packets'($*)) dnl - - gen_require(` - type tor_server_packet_t; - ') - - allow $1 tor_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_tor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive tor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_tor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tor_server_packets'($*)) dnl - - gen_require(` - type tor_server_packet_t; - ') - - dontaudit $1 tor_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tor_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive tor_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_tor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tor_server_packets'($*)) dnl - - corenet_send_tor_server_packets($1) - corenet_receive_tor_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tor_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive tor_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_tor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tor_server_packets'($*)) dnl - - corenet_dontaudit_send_tor_server_packets($1) - corenet_dontaudit_receive_tor_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tor_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to tor_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_tor_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tor_server_packets'($*)) dnl - - gen_require(` - type tor_server_packet_t; - ') - - allow $1 tor_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_tor_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the traceroute port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_traceroute_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the traceroute port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_traceroute_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the traceroute port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_traceroute_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the traceroute port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_traceroute_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the traceroute port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_traceroute_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the traceroute port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_traceroute_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the traceroute port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_traceroute_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the traceroute port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_traceroute_port'($*)) dnl - - gen_require(` - type traceroute_port_t; - ') - - allow $1 traceroute_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the traceroute port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_traceroute_port'($*)) dnl - - gen_require(` - type traceroute_port_t; - ') - - allow $1 traceroute_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_traceroute_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the traceroute port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_traceroute_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_traceroute_port'($*)) dnl - - gen_require(` - type traceroute_port_t; - ') - - allow $1 traceroute_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_traceroute_port'($*)) dnl - ') - - - -######################################## -## -## Send traceroute_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_traceroute_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_traceroute_client_packets'($*)) dnl - - gen_require(` - type traceroute_client_packet_t; - ') - - allow $1 traceroute_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_traceroute_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send traceroute_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_traceroute_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_traceroute_client_packets'($*)) dnl - - gen_require(` - type traceroute_client_packet_t; - ') - - dontaudit $1 traceroute_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_traceroute_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive traceroute_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_traceroute_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_traceroute_client_packets'($*)) dnl - - gen_require(` - type traceroute_client_packet_t; - ') - - allow $1 traceroute_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_traceroute_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive traceroute_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_traceroute_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_traceroute_client_packets'($*)) dnl - - gen_require(` - type traceroute_client_packet_t; - ') - - dontaudit $1 traceroute_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_traceroute_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive traceroute_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_traceroute_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_traceroute_client_packets'($*)) dnl - - corenet_send_traceroute_client_packets($1) - corenet_receive_traceroute_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_traceroute_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive traceroute_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_traceroute_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_traceroute_client_packets'($*)) dnl - - corenet_dontaudit_send_traceroute_client_packets($1) - corenet_dontaudit_receive_traceroute_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_traceroute_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to traceroute_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_traceroute_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_traceroute_client_packets'($*)) dnl - - gen_require(` - type traceroute_client_packet_t; - ') - - allow $1 traceroute_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_traceroute_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send traceroute_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_traceroute_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_traceroute_server_packets'($*)) dnl - - gen_require(` - type traceroute_server_packet_t; - ') - - allow $1 traceroute_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_traceroute_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send traceroute_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_traceroute_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_traceroute_server_packets'($*)) dnl - - gen_require(` - type traceroute_server_packet_t; - ') - - dontaudit $1 traceroute_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_traceroute_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive traceroute_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_traceroute_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_traceroute_server_packets'($*)) dnl - - gen_require(` - type traceroute_server_packet_t; - ') - - allow $1 traceroute_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_traceroute_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive traceroute_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_traceroute_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_traceroute_server_packets'($*)) dnl - - gen_require(` - type traceroute_server_packet_t; - ') - - dontaudit $1 traceroute_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_traceroute_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive traceroute_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_traceroute_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_traceroute_server_packets'($*)) dnl - - corenet_send_traceroute_server_packets($1) - corenet_receive_traceroute_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_traceroute_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive traceroute_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_traceroute_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_traceroute_server_packets'($*)) dnl - - corenet_dontaudit_send_traceroute_server_packets($1) - corenet_dontaudit_receive_traceroute_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_traceroute_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to traceroute_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_traceroute_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_traceroute_server_packets'($*)) dnl - - gen_require(` - type traceroute_server_packet_t; - ') - - allow $1 traceroute_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_traceroute_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the transproxy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_transproxy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the transproxy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_transproxy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the transproxy port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_transproxy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the transproxy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_transproxy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the transproxy port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_transproxy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the transproxy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_transproxy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the transproxy port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_transproxy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the transproxy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_transproxy_port'($*)) dnl - - gen_require(` - type transproxy_port_t; - ') - - allow $1 transproxy_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the transproxy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_transproxy_port'($*)) dnl - - gen_require(` - type transproxy_port_t; - ') - - allow $1 transproxy_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_transproxy_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the transproxy port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_transproxy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_transproxy_port'($*)) dnl - - gen_require(` - type transproxy_port_t; - ') - - allow $1 transproxy_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_transproxy_port'($*)) dnl - ') - - - -######################################## -## -## Send transproxy_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_transproxy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_transproxy_client_packets'($*)) dnl - - gen_require(` - type transproxy_client_packet_t; - ') - - allow $1 transproxy_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_transproxy_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send transproxy_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_transproxy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_transproxy_client_packets'($*)) dnl - - gen_require(` - type transproxy_client_packet_t; - ') - - dontaudit $1 transproxy_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_transproxy_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive transproxy_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_transproxy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_transproxy_client_packets'($*)) dnl - - gen_require(` - type transproxy_client_packet_t; - ') - - allow $1 transproxy_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_transproxy_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive transproxy_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_transproxy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_transproxy_client_packets'($*)) dnl - - gen_require(` - type transproxy_client_packet_t; - ') - - dontaudit $1 transproxy_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_transproxy_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive transproxy_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_transproxy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_transproxy_client_packets'($*)) dnl - - corenet_send_transproxy_client_packets($1) - corenet_receive_transproxy_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_transproxy_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive transproxy_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_transproxy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_transproxy_client_packets'($*)) dnl - - corenet_dontaudit_send_transproxy_client_packets($1) - corenet_dontaudit_receive_transproxy_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_transproxy_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to transproxy_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_transproxy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_transproxy_client_packets'($*)) dnl - - gen_require(` - type transproxy_client_packet_t; - ') - - allow $1 transproxy_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_transproxy_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send transproxy_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_transproxy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_transproxy_server_packets'($*)) dnl - - gen_require(` - type transproxy_server_packet_t; - ') - - allow $1 transproxy_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_transproxy_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send transproxy_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_transproxy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_transproxy_server_packets'($*)) dnl - - gen_require(` - type transproxy_server_packet_t; - ') - - dontaudit $1 transproxy_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_transproxy_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive transproxy_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_transproxy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_transproxy_server_packets'($*)) dnl - - gen_require(` - type transproxy_server_packet_t; - ') - - allow $1 transproxy_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_transproxy_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive transproxy_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_transproxy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_transproxy_server_packets'($*)) dnl - - gen_require(` - type transproxy_server_packet_t; - ') - - dontaudit $1 transproxy_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_transproxy_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive transproxy_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_transproxy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_transproxy_server_packets'($*)) dnl - - corenet_send_transproxy_server_packets($1) - corenet_receive_transproxy_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_transproxy_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive transproxy_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_transproxy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_transproxy_server_packets'($*)) dnl - - corenet_dontaudit_send_transproxy_server_packets($1) - corenet_dontaudit_receive_transproxy_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_transproxy_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to transproxy_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_transproxy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_transproxy_server_packets'($*)) dnl - - gen_require(` - type transproxy_server_packet_t; - ') - - allow $1 transproxy_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_transproxy_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the trisoap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_trisoap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the trisoap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_trisoap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the trisoap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_trisoap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the trisoap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_trisoap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the trisoap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_trisoap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the trisoap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_trisoap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the trisoap port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_trisoap_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the trisoap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_trisoap_port'($*)) dnl - - gen_require(` - type trisoap_port_t; - ') - - allow $1 trisoap_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the trisoap port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_trisoap_port'($*)) dnl - - gen_require(` - type trisoap_port_t; - ') - - allow $1 trisoap_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_trisoap_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the trisoap port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_trisoap_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_trisoap_port'($*)) dnl - - gen_require(` - type trisoap_port_t; - ') - - allow $1 trisoap_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_trisoap_port'($*)) dnl - ') - - - -######################################## -## -## Send trisoap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_trisoap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_trisoap_client_packets'($*)) dnl - - gen_require(` - type trisoap_client_packet_t; - ') - - allow $1 trisoap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_trisoap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send trisoap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_trisoap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trisoap_client_packets'($*)) dnl - - gen_require(` - type trisoap_client_packet_t; - ') - - dontaudit $1 trisoap_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trisoap_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive trisoap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_trisoap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_trisoap_client_packets'($*)) dnl - - gen_require(` - type trisoap_client_packet_t; - ') - - allow $1 trisoap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_trisoap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive trisoap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_trisoap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trisoap_client_packets'($*)) dnl - - gen_require(` - type trisoap_client_packet_t; - ') - - dontaudit $1 trisoap_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trisoap_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive trisoap_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_trisoap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trisoap_client_packets'($*)) dnl - - corenet_send_trisoap_client_packets($1) - corenet_receive_trisoap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trisoap_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive trisoap_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_trisoap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trisoap_client_packets'($*)) dnl - - corenet_dontaudit_send_trisoap_client_packets($1) - corenet_dontaudit_receive_trisoap_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trisoap_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to trisoap_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_trisoap_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trisoap_client_packets'($*)) dnl - - gen_require(` - type trisoap_client_packet_t; - ') - - allow $1 trisoap_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_trisoap_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send trisoap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_trisoap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_trisoap_server_packets'($*)) dnl - - gen_require(` - type trisoap_server_packet_t; - ') - - allow $1 trisoap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_trisoap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send trisoap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_trisoap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trisoap_server_packets'($*)) dnl - - gen_require(` - type trisoap_server_packet_t; - ') - - dontaudit $1 trisoap_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trisoap_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive trisoap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_trisoap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_trisoap_server_packets'($*)) dnl - - gen_require(` - type trisoap_server_packet_t; - ') - - allow $1 trisoap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_trisoap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive trisoap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_trisoap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trisoap_server_packets'($*)) dnl - - gen_require(` - type trisoap_server_packet_t; - ') - - dontaudit $1 trisoap_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trisoap_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive trisoap_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_trisoap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trisoap_server_packets'($*)) dnl - - corenet_send_trisoap_server_packets($1) - corenet_receive_trisoap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trisoap_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive trisoap_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_trisoap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trisoap_server_packets'($*)) dnl - - corenet_dontaudit_send_trisoap_server_packets($1) - corenet_dontaudit_receive_trisoap_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trisoap_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to trisoap_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_trisoap_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trisoap_server_packets'($*)) dnl - - gen_require(` - type trisoap_server_packet_t; - ') - - allow $1 trisoap_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_trisoap_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the trivnet1 port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_trivnet1_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the trivnet1 port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_trivnet1_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the trivnet1 port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_trivnet1_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the trivnet1 port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_trivnet1_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the trivnet1 port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_trivnet1_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the trivnet1 port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_trivnet1_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the trivnet1 port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_trivnet1_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the trivnet1 port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_trivnet1_port'($*)) dnl - - gen_require(` - type trivnet1_port_t; - ') - - allow $1 trivnet1_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the trivnet1 port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_trivnet1_port'($*)) dnl - - gen_require(` - type trivnet1_port_t; - ') - - allow $1 trivnet1_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_trivnet1_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the trivnet1 port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_trivnet1_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_trivnet1_port'($*)) dnl - - gen_require(` - type trivnet1_port_t; - ') - - allow $1 trivnet1_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_trivnet1_port'($*)) dnl - ') - - - -######################################## -## -## Send trivnet1_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_trivnet1_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_trivnet1_client_packets'($*)) dnl - - gen_require(` - type trivnet1_client_packet_t; - ') - - allow $1 trivnet1_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_trivnet1_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send trivnet1_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_trivnet1_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trivnet1_client_packets'($*)) dnl - - gen_require(` - type trivnet1_client_packet_t; - ') - - dontaudit $1 trivnet1_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trivnet1_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive trivnet1_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_trivnet1_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_trivnet1_client_packets'($*)) dnl - - gen_require(` - type trivnet1_client_packet_t; - ') - - allow $1 trivnet1_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_trivnet1_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive trivnet1_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_trivnet1_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trivnet1_client_packets'($*)) dnl - - gen_require(` - type trivnet1_client_packet_t; - ') - - dontaudit $1 trivnet1_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trivnet1_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive trivnet1_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_trivnet1_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trivnet1_client_packets'($*)) dnl - - corenet_send_trivnet1_client_packets($1) - corenet_receive_trivnet1_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trivnet1_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive trivnet1_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_trivnet1_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trivnet1_client_packets'($*)) dnl - - corenet_dontaudit_send_trivnet1_client_packets($1) - corenet_dontaudit_receive_trivnet1_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trivnet1_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to trivnet1_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_trivnet1_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trivnet1_client_packets'($*)) dnl - - gen_require(` - type trivnet1_client_packet_t; - ') - - allow $1 trivnet1_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_trivnet1_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send trivnet1_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_trivnet1_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_trivnet1_server_packets'($*)) dnl - - gen_require(` - type trivnet1_server_packet_t; - ') - - allow $1 trivnet1_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_trivnet1_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send trivnet1_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_trivnet1_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trivnet1_server_packets'($*)) dnl - - gen_require(` - type trivnet1_server_packet_t; - ') - - dontaudit $1 trivnet1_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trivnet1_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive trivnet1_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_trivnet1_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_trivnet1_server_packets'($*)) dnl - - gen_require(` - type trivnet1_server_packet_t; - ') - - allow $1 trivnet1_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_trivnet1_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive trivnet1_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_trivnet1_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trivnet1_server_packets'($*)) dnl - - gen_require(` - type trivnet1_server_packet_t; - ') - - dontaudit $1 trivnet1_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trivnet1_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive trivnet1_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_trivnet1_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trivnet1_server_packets'($*)) dnl - - corenet_send_trivnet1_server_packets($1) - corenet_receive_trivnet1_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trivnet1_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive trivnet1_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_trivnet1_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trivnet1_server_packets'($*)) dnl - - corenet_dontaudit_send_trivnet1_server_packets($1) - corenet_dontaudit_receive_trivnet1_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trivnet1_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to trivnet1_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_trivnet1_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trivnet1_server_packets'($*)) dnl - - gen_require(` - type trivnet1_server_packet_t; - ') - - allow $1 trivnet1_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_trivnet1_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the ups port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ups_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ups_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the ups port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ups_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_ups_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the ups port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ups_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ups_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the ups port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ups_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ups_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the ups port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ups_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ups_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the ups port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ups_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ups_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the ups port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ups_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ups_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the ups port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ups_port'($*)) dnl - - gen_require(` - type ups_port_t; - ') - - allow $1 ups_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ups_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the ups port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ups_port'($*)) dnl - - gen_require(` - type ups_port_t; - ') - - allow $1 ups_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ups_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the ups port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_ups_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ups_port'($*)) dnl - - gen_require(` - type ups_port_t; - ') - - allow $1 ups_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ups_port'($*)) dnl - ') - - - -######################################## -## -## Send ups_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ups_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ups_client_packets'($*)) dnl - - gen_require(` - type ups_client_packet_t; - ') - - allow $1 ups_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ups_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ups_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ups_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ups_client_packets'($*)) dnl - - gen_require(` - type ups_client_packet_t; - ') - - dontaudit $1 ups_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ups_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive ups_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ups_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ups_client_packets'($*)) dnl - - gen_require(` - type ups_client_packet_t; - ') - - allow $1 ups_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ups_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ups_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ups_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ups_client_packets'($*)) dnl - - gen_require(` - type ups_client_packet_t; - ') - - dontaudit $1 ups_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ups_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ups_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ups_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ups_client_packets'($*)) dnl - - corenet_send_ups_client_packets($1) - corenet_receive_ups_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ups_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ups_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ups_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ups_client_packets'($*)) dnl - - corenet_dontaudit_send_ups_client_packets($1) - corenet_dontaudit_receive_ups_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ups_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ups_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ups_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ups_client_packets'($*)) dnl - - gen_require(` - type ups_client_packet_t; - ') - - allow $1 ups_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ups_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send ups_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_ups_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_ups_server_packets'($*)) dnl - - gen_require(` - type ups_server_packet_t; - ') - - allow $1 ups_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_ups_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send ups_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_ups_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ups_server_packets'($*)) dnl - - gen_require(` - type ups_server_packet_t; - ') - - dontaudit $1 ups_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ups_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive ups_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_ups_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_ups_server_packets'($*)) dnl - - gen_require(` - type ups_server_packet_t; - ') - - allow $1 ups_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_ups_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive ups_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_ups_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ups_server_packets'($*)) dnl - - gen_require(` - type ups_server_packet_t; - ') - - dontaudit $1 ups_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ups_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive ups_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_ups_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ups_server_packets'($*)) dnl - - corenet_send_ups_server_packets($1) - corenet_receive_ups_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ups_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive ups_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_ups_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ups_server_packets'($*)) dnl - - corenet_dontaudit_send_ups_server_packets($1) - corenet_dontaudit_receive_ups_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ups_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to ups_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_ups_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ups_server_packets'($*)) dnl - - gen_require(` - type ups_server_packet_t; - ') - - allow $1 ups_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_ups_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the utcpserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_utcpserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the utcpserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_utcpserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the utcpserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_utcpserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the utcpserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_utcpserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the utcpserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_utcpserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the utcpserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_utcpserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the utcpserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_utcpserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the utcpserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_utcpserver_port'($*)) dnl - - gen_require(` - type utcpserver_port_t; - ') - - allow $1 utcpserver_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the utcpserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_utcpserver_port'($*)) dnl - - gen_require(` - type utcpserver_port_t; - ') - - allow $1 utcpserver_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_utcpserver_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the utcpserver port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_utcpserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_utcpserver_port'($*)) dnl - - gen_require(` - type utcpserver_port_t; - ') - - allow $1 utcpserver_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_utcpserver_port'($*)) dnl - ') - - - -######################################## -## -## Send utcpserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_utcpserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_utcpserver_client_packets'($*)) dnl - - gen_require(` - type utcpserver_client_packet_t; - ') - - allow $1 utcpserver_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_utcpserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send utcpserver_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_utcpserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_utcpserver_client_packets'($*)) dnl - - gen_require(` - type utcpserver_client_packet_t; - ') - - dontaudit $1 utcpserver_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_utcpserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive utcpserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_utcpserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_utcpserver_client_packets'($*)) dnl - - gen_require(` - type utcpserver_client_packet_t; - ') - - allow $1 utcpserver_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_utcpserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive utcpserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_utcpserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_utcpserver_client_packets'($*)) dnl - - gen_require(` - type utcpserver_client_packet_t; - ') - - dontaudit $1 utcpserver_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_utcpserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive utcpserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_utcpserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_utcpserver_client_packets'($*)) dnl - - corenet_send_utcpserver_client_packets($1) - corenet_receive_utcpserver_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_utcpserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive utcpserver_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_utcpserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_utcpserver_client_packets'($*)) dnl - - corenet_dontaudit_send_utcpserver_client_packets($1) - corenet_dontaudit_receive_utcpserver_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_utcpserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to utcpserver_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_utcpserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_utcpserver_client_packets'($*)) dnl - - gen_require(` - type utcpserver_client_packet_t; - ') - - allow $1 utcpserver_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_utcpserver_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send utcpserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_utcpserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_utcpserver_server_packets'($*)) dnl - - gen_require(` - type utcpserver_server_packet_t; - ') - - allow $1 utcpserver_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_utcpserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send utcpserver_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_utcpserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_utcpserver_server_packets'($*)) dnl - - gen_require(` - type utcpserver_server_packet_t; - ') - - dontaudit $1 utcpserver_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_utcpserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive utcpserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_utcpserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_utcpserver_server_packets'($*)) dnl - - gen_require(` - type utcpserver_server_packet_t; - ') - - allow $1 utcpserver_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_utcpserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive utcpserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_utcpserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_utcpserver_server_packets'($*)) dnl - - gen_require(` - type utcpserver_server_packet_t; - ') - - dontaudit $1 utcpserver_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_utcpserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive utcpserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_utcpserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_utcpserver_server_packets'($*)) dnl - - corenet_send_utcpserver_server_packets($1) - corenet_receive_utcpserver_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_utcpserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive utcpserver_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_utcpserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_utcpserver_server_packets'($*)) dnl - - corenet_dontaudit_send_utcpserver_server_packets($1) - corenet_dontaudit_receive_utcpserver_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_utcpserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to utcpserver_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_utcpserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_utcpserver_server_packets'($*)) dnl - - gen_require(` - type utcpserver_server_packet_t; - ') - - allow $1 utcpserver_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_utcpserver_server_packets'($*)) dnl - ') - - - # no defined portcon - - -######################################## -## -## Send and receive TCP traffic on the uucpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_uucpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the uucpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_uucpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the uucpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_uucpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the uucpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_uucpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the uucpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_uucpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the uucpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_uucpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the uucpd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_uucpd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the uucpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_uucpd_port'($*)) dnl - - gen_require(` - type uucpd_port_t; - ') - - allow $1 uucpd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the uucpd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_uucpd_port'($*)) dnl - - gen_require(` - type uucpd_port_t; - ') - - allow $1 uucpd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_uucpd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the uucpd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_uucpd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_uucpd_port'($*)) dnl - - gen_require(` - type uucpd_port_t; - ') - - allow $1 uucpd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_uucpd_port'($*)) dnl - ') - - - -######################################## -## -## Send uucpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_uucpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_uucpd_client_packets'($*)) dnl - - gen_require(` - type uucpd_client_packet_t; - ') - - allow $1 uucpd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_uucpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send uucpd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_uucpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_uucpd_client_packets'($*)) dnl - - gen_require(` - type uucpd_client_packet_t; - ') - - dontaudit $1 uucpd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_uucpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive uucpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_uucpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_uucpd_client_packets'($*)) dnl - - gen_require(` - type uucpd_client_packet_t; - ') - - allow $1 uucpd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_uucpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive uucpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_uucpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_uucpd_client_packets'($*)) dnl - - gen_require(` - type uucpd_client_packet_t; - ') - - dontaudit $1 uucpd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_uucpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive uucpd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_uucpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_uucpd_client_packets'($*)) dnl - - corenet_send_uucpd_client_packets($1) - corenet_receive_uucpd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_uucpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive uucpd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_uucpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_uucpd_client_packets'($*)) dnl - - corenet_dontaudit_send_uucpd_client_packets($1) - corenet_dontaudit_receive_uucpd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_uucpd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to uucpd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_uucpd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_uucpd_client_packets'($*)) dnl - - gen_require(` - type uucpd_client_packet_t; - ') - - allow $1 uucpd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_uucpd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send uucpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_uucpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_uucpd_server_packets'($*)) dnl - - gen_require(` - type uucpd_server_packet_t; - ') - - allow $1 uucpd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_uucpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send uucpd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_uucpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_uucpd_server_packets'($*)) dnl - - gen_require(` - type uucpd_server_packet_t; - ') - - dontaudit $1 uucpd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_uucpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive uucpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_uucpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_uucpd_server_packets'($*)) dnl - - gen_require(` - type uucpd_server_packet_t; - ') - - allow $1 uucpd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_uucpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive uucpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_uucpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_uucpd_server_packets'($*)) dnl - - gen_require(` - type uucpd_server_packet_t; - ') - - dontaudit $1 uucpd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_uucpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive uucpd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_uucpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_uucpd_server_packets'($*)) dnl - - corenet_send_uucpd_server_packets($1) - corenet_receive_uucpd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_uucpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive uucpd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_uucpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_uucpd_server_packets'($*)) dnl - - corenet_dontaudit_send_uucpd_server_packets($1) - corenet_dontaudit_receive_uucpd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_uucpd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to uucpd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_uucpd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_uucpd_server_packets'($*)) dnl - - gen_require(` - type uucpd_server_packet_t; - ') - - allow $1 uucpd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_uucpd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the varnishd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_varnishd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the varnishd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_varnishd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the varnishd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_varnishd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the varnishd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_varnishd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the varnishd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_varnishd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the varnishd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_varnishd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the varnishd port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_varnishd_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the varnishd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_varnishd_port'($*)) dnl - - gen_require(` - type varnishd_port_t; - ') - - allow $1 varnishd_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the varnishd port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_varnishd_port'($*)) dnl - - gen_require(` - type varnishd_port_t; - ') - - allow $1 varnishd_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_varnishd_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the varnishd port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_varnishd_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_varnishd_port'($*)) dnl - - gen_require(` - type varnishd_port_t; - ') - - allow $1 varnishd_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_varnishd_port'($*)) dnl - ') - - - -######################################## -## -## Send varnishd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_varnishd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_varnishd_client_packets'($*)) dnl - - gen_require(` - type varnishd_client_packet_t; - ') - - allow $1 varnishd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_varnishd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send varnishd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_varnishd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_varnishd_client_packets'($*)) dnl - - gen_require(` - type varnishd_client_packet_t; - ') - - dontaudit $1 varnishd_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_varnishd_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive varnishd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_varnishd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_varnishd_client_packets'($*)) dnl - - gen_require(` - type varnishd_client_packet_t; - ') - - allow $1 varnishd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_varnishd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive varnishd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_varnishd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_varnishd_client_packets'($*)) dnl - - gen_require(` - type varnishd_client_packet_t; - ') - - dontaudit $1 varnishd_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_varnishd_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive varnishd_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_varnishd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_varnishd_client_packets'($*)) dnl - - corenet_send_varnishd_client_packets($1) - corenet_receive_varnishd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_varnishd_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive varnishd_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_varnishd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_varnishd_client_packets'($*)) dnl - - corenet_dontaudit_send_varnishd_client_packets($1) - corenet_dontaudit_receive_varnishd_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_varnishd_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to varnishd_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_varnishd_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_varnishd_client_packets'($*)) dnl - - gen_require(` - type varnishd_client_packet_t; - ') - - allow $1 varnishd_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_varnishd_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send varnishd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_varnishd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_varnishd_server_packets'($*)) dnl - - gen_require(` - type varnishd_server_packet_t; - ') - - allow $1 varnishd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_varnishd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send varnishd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_varnishd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_varnishd_server_packets'($*)) dnl - - gen_require(` - type varnishd_server_packet_t; - ') - - dontaudit $1 varnishd_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_varnishd_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive varnishd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_varnishd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_varnishd_server_packets'($*)) dnl - - gen_require(` - type varnishd_server_packet_t; - ') - - allow $1 varnishd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_varnishd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive varnishd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_varnishd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_varnishd_server_packets'($*)) dnl - - gen_require(` - type varnishd_server_packet_t; - ') - - dontaudit $1 varnishd_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_varnishd_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive varnishd_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_varnishd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_varnishd_server_packets'($*)) dnl - - corenet_send_varnishd_server_packets($1) - corenet_receive_varnishd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_varnishd_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive varnishd_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_varnishd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_varnishd_server_packets'($*)) dnl - - corenet_dontaudit_send_varnishd_server_packets($1) - corenet_dontaudit_receive_varnishd_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_varnishd_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to varnishd_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_varnishd_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_varnishd_server_packets'($*)) dnl - - gen_require(` - type varnishd_server_packet_t; - ') - - allow $1 varnishd_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_varnishd_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the virt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virt_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the virt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_virt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the virt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virt_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the virt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the virt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virt_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the virt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virt_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the virt port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virt_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virt_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the virt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virt_port'($*)) dnl - - gen_require(` - type virt_port_t; - ') - - allow $1 virt_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virt_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the virt port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virt_port'($*)) dnl - - gen_require(` - type virt_port_t; - ') - - allow $1 virt_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virt_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the virt port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_virt_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virt_port'($*)) dnl - - gen_require(` - type virt_port_t; - ') - - allow $1 virt_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virt_port'($*)) dnl - ') - - - -######################################## -## -## Send virt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_virt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_virt_client_packets'($*)) dnl - - gen_require(` - type virt_client_packet_t; - ') - - allow $1 virt_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_virt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send virt_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_virt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_client_packets'($*)) dnl - - gen_require(` - type virt_client_packet_t; - ') - - dontaudit $1 virt_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive virt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_virt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_client_packets'($*)) dnl - - gen_require(` - type virt_client_packet_t; - ') - - allow $1 virt_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_virt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive virt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_virt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_client_packets'($*)) dnl - - gen_require(` - type virt_client_packet_t; - ') - - dontaudit $1 virt_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive virt_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_virt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_client_packets'($*)) dnl - - corenet_send_virt_client_packets($1) - corenet_receive_virt_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive virt_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_virt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_client_packets'($*)) dnl - - corenet_dontaudit_send_virt_client_packets($1) - corenet_dontaudit_receive_virt_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to virt_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_virt_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_client_packets'($*)) dnl - - gen_require(` - type virt_client_packet_t; - ') - - allow $1 virt_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send virt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_virt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_virt_server_packets'($*)) dnl - - gen_require(` - type virt_server_packet_t; - ') - - allow $1 virt_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_virt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send virt_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_virt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_server_packets'($*)) dnl - - gen_require(` - type virt_server_packet_t; - ') - - dontaudit $1 virt_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive virt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_virt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_server_packets'($*)) dnl - - gen_require(` - type virt_server_packet_t; - ') - - allow $1 virt_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_virt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive virt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_virt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_server_packets'($*)) dnl - - gen_require(` - type virt_server_packet_t; - ') - - dontaudit $1 virt_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive virt_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_virt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_server_packets'($*)) dnl - - corenet_send_virt_server_packets($1) - corenet_receive_virt_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive virt_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_virt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_server_packets'($*)) dnl - - corenet_dontaudit_send_virt_server_packets($1) - corenet_dontaudit_receive_virt_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to virt_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_virt_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_server_packets'($*)) dnl - - gen_require(` - type virt_server_packet_t; - ') - - allow $1 virt_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the virtual_places port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virtual_places_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the virtual_places port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virtual_places_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the virtual_places port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virtual_places_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the virtual_places port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virtual_places_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the virtual_places port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virtual_places_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the virtual_places port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virtual_places_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the virtual_places port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virtual_places_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the virtual_places port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virtual_places_port'($*)) dnl - - gen_require(` - type virtual_places_port_t; - ') - - allow $1 virtual_places_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the virtual_places port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virtual_places_port'($*)) dnl - - gen_require(` - type virtual_places_port_t; - ') - - allow $1 virtual_places_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virtual_places_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the virtual_places port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_virtual_places_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virtual_places_port'($*)) dnl - - gen_require(` - type virtual_places_port_t; - ') - - allow $1 virtual_places_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virtual_places_port'($*)) dnl - ') - - - -######################################## -## -## Send virtual_places_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_virtual_places_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_virtual_places_client_packets'($*)) dnl - - gen_require(` - type virtual_places_client_packet_t; - ') - - allow $1 virtual_places_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_virtual_places_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send virtual_places_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_virtual_places_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virtual_places_client_packets'($*)) dnl - - gen_require(` - type virtual_places_client_packet_t; - ') - - dontaudit $1 virtual_places_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virtual_places_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive virtual_places_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_virtual_places_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_virtual_places_client_packets'($*)) dnl - - gen_require(` - type virtual_places_client_packet_t; - ') - - allow $1 virtual_places_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_virtual_places_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive virtual_places_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_virtual_places_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virtual_places_client_packets'($*)) dnl - - gen_require(` - type virtual_places_client_packet_t; - ') - - dontaudit $1 virtual_places_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virtual_places_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive virtual_places_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_virtual_places_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virtual_places_client_packets'($*)) dnl - - corenet_send_virtual_places_client_packets($1) - corenet_receive_virtual_places_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virtual_places_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive virtual_places_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_virtual_places_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virtual_places_client_packets'($*)) dnl - - corenet_dontaudit_send_virtual_places_client_packets($1) - corenet_dontaudit_receive_virtual_places_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virtual_places_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to virtual_places_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_virtual_places_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virtual_places_client_packets'($*)) dnl - - gen_require(` - type virtual_places_client_packet_t; - ') - - allow $1 virtual_places_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_virtual_places_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send virtual_places_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_virtual_places_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_virtual_places_server_packets'($*)) dnl - - gen_require(` - type virtual_places_server_packet_t; - ') - - allow $1 virtual_places_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_virtual_places_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send virtual_places_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_virtual_places_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virtual_places_server_packets'($*)) dnl - - gen_require(` - type virtual_places_server_packet_t; - ') - - dontaudit $1 virtual_places_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virtual_places_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive virtual_places_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_virtual_places_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_virtual_places_server_packets'($*)) dnl - - gen_require(` - type virtual_places_server_packet_t; - ') - - allow $1 virtual_places_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_virtual_places_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive virtual_places_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_virtual_places_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virtual_places_server_packets'($*)) dnl - - gen_require(` - type virtual_places_server_packet_t; - ') - - dontaudit $1 virtual_places_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virtual_places_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive virtual_places_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_virtual_places_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virtual_places_server_packets'($*)) dnl - - corenet_send_virtual_places_server_packets($1) - corenet_receive_virtual_places_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virtual_places_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive virtual_places_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_virtual_places_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virtual_places_server_packets'($*)) dnl - - corenet_dontaudit_send_virtual_places_server_packets($1) - corenet_dontaudit_receive_virtual_places_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virtual_places_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to virtual_places_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_virtual_places_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virtual_places_server_packets'($*)) dnl - - gen_require(` - type virtual_places_server_packet_t; - ') - - allow $1 virtual_places_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_virtual_places_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the virt_migration port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virt_migration_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the virt_migration port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virt_migration_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the virt_migration port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virt_migration_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the virt_migration port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virt_migration_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the virt_migration port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virt_migration_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the virt_migration port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virt_migration_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the virt_migration port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virt_migration_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the virt_migration port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virt_migration_port'($*)) dnl - - gen_require(` - type virt_migration_port_t; - ') - - allow $1 virt_migration_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the virt_migration port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virt_migration_port'($*)) dnl - - gen_require(` - type virt_migration_port_t; - ') - - allow $1 virt_migration_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virt_migration_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the virt_migration port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_virt_migration_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virt_migration_port'($*)) dnl - - gen_require(` - type virt_migration_port_t; - ') - - allow $1 virt_migration_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virt_migration_port'($*)) dnl - ') - - - -######################################## -## -## Send virt_migration_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_virt_migration_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_virt_migration_client_packets'($*)) dnl - - gen_require(` - type virt_migration_client_packet_t; - ') - - allow $1 virt_migration_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_virt_migration_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send virt_migration_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_virt_migration_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_migration_client_packets'($*)) dnl - - gen_require(` - type virt_migration_client_packet_t; - ') - - dontaudit $1 virt_migration_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_migration_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive virt_migration_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_virt_migration_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_migration_client_packets'($*)) dnl - - gen_require(` - type virt_migration_client_packet_t; - ') - - allow $1 virt_migration_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_virt_migration_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive virt_migration_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_virt_migration_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_migration_client_packets'($*)) dnl - - gen_require(` - type virt_migration_client_packet_t; - ') - - dontaudit $1 virt_migration_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_migration_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive virt_migration_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_virt_migration_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_migration_client_packets'($*)) dnl - - corenet_send_virt_migration_client_packets($1) - corenet_receive_virt_migration_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_migration_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive virt_migration_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_virt_migration_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_migration_client_packets'($*)) dnl - - corenet_dontaudit_send_virt_migration_client_packets($1) - corenet_dontaudit_receive_virt_migration_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_migration_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to virt_migration_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_virt_migration_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_migration_client_packets'($*)) dnl - - gen_require(` - type virt_migration_client_packet_t; - ') - - allow $1 virt_migration_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_migration_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send virt_migration_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_virt_migration_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_virt_migration_server_packets'($*)) dnl - - gen_require(` - type virt_migration_server_packet_t; - ') - - allow $1 virt_migration_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_virt_migration_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send virt_migration_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_virt_migration_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_migration_server_packets'($*)) dnl - - gen_require(` - type virt_migration_server_packet_t; - ') - - dontaudit $1 virt_migration_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_migration_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive virt_migration_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_virt_migration_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_migration_server_packets'($*)) dnl - - gen_require(` - type virt_migration_server_packet_t; - ') - - allow $1 virt_migration_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_virt_migration_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive virt_migration_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_virt_migration_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_migration_server_packets'($*)) dnl - - gen_require(` - type virt_migration_server_packet_t; - ') - - dontaudit $1 virt_migration_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_migration_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive virt_migration_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_virt_migration_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_migration_server_packets'($*)) dnl - - corenet_send_virt_migration_server_packets($1) - corenet_receive_virt_migration_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_migration_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive virt_migration_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_virt_migration_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_migration_server_packets'($*)) dnl - - corenet_dontaudit_send_virt_migration_server_packets($1) - corenet_dontaudit_receive_virt_migration_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_migration_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to virt_migration_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_virt_migration_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_migration_server_packets'($*)) dnl - - gen_require(` - type virt_migration_server_packet_t; - ') - - allow $1 virt_migration_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_migration_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the vnc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_vnc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_vnc_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the vnc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_vnc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_vnc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the vnc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_vnc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_vnc_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the vnc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_vnc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_vnc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the vnc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_vnc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_vnc_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the vnc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_vnc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_vnc_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the vnc port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_vnc_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_vnc_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the vnc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_vnc_port'($*)) dnl - - gen_require(` - type vnc_port_t; - ') - - allow $1 vnc_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_vnc_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the vnc port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_vnc_port'($*)) dnl - - gen_require(` - type vnc_port_t; - ') - - allow $1 vnc_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_vnc_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the vnc port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_vnc_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_vnc_port'($*)) dnl - - gen_require(` - type vnc_port_t; - ') - - allow $1 vnc_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_vnc_port'($*)) dnl - ') - - - -######################################## -## -## Send vnc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_vnc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_vnc_client_packets'($*)) dnl - - gen_require(` - type vnc_client_packet_t; - ') - - allow $1 vnc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_vnc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send vnc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_vnc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vnc_client_packets'($*)) dnl - - gen_require(` - type vnc_client_packet_t; - ') - - dontaudit $1 vnc_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vnc_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive vnc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_vnc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_vnc_client_packets'($*)) dnl - - gen_require(` - type vnc_client_packet_t; - ') - - allow $1 vnc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_vnc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive vnc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_vnc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vnc_client_packets'($*)) dnl - - gen_require(` - type vnc_client_packet_t; - ') - - dontaudit $1 vnc_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vnc_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive vnc_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_vnc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vnc_client_packets'($*)) dnl - - corenet_send_vnc_client_packets($1) - corenet_receive_vnc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vnc_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive vnc_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_vnc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vnc_client_packets'($*)) dnl - - corenet_dontaudit_send_vnc_client_packets($1) - corenet_dontaudit_receive_vnc_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vnc_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to vnc_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_vnc_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vnc_client_packets'($*)) dnl - - gen_require(` - type vnc_client_packet_t; - ') - - allow $1 vnc_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_vnc_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send vnc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_vnc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_vnc_server_packets'($*)) dnl - - gen_require(` - type vnc_server_packet_t; - ') - - allow $1 vnc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_vnc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send vnc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_vnc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vnc_server_packets'($*)) dnl - - gen_require(` - type vnc_server_packet_t; - ') - - dontaudit $1 vnc_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vnc_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive vnc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_vnc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_vnc_server_packets'($*)) dnl - - gen_require(` - type vnc_server_packet_t; - ') - - allow $1 vnc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_vnc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive vnc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_vnc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vnc_server_packets'($*)) dnl - - gen_require(` - type vnc_server_packet_t; - ') - - dontaudit $1 vnc_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vnc_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive vnc_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_vnc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vnc_server_packets'($*)) dnl - - corenet_send_vnc_server_packets($1) - corenet_receive_vnc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vnc_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive vnc_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_vnc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vnc_server_packets'($*)) dnl - - corenet_dontaudit_send_vnc_server_packets($1) - corenet_dontaudit_receive_vnc_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vnc_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to vnc_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_vnc_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vnc_server_packets'($*)) dnl - - gen_require(` - type vnc_server_packet_t; - ') - - allow $1 vnc_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_vnc_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the wccp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wccp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wccp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the wccp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wccp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_wccp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the wccp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wccp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wccp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the wccp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wccp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wccp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the wccp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wccp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wccp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the wccp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wccp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wccp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the wccp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wccp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wccp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the wccp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wccp_port'($*)) dnl - - gen_require(` - type wccp_port_t; - ') - - allow $1 wccp_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wccp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the wccp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wccp_port'($*)) dnl - - gen_require(` - type wccp_port_t; - ') - - allow $1 wccp_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wccp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the wccp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_wccp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wccp_port'($*)) dnl - - gen_require(` - type wccp_port_t; - ') - - allow $1 wccp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wccp_port'($*)) dnl - ') - - - -######################################## -## -## Send wccp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_wccp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_wccp_client_packets'($*)) dnl - - gen_require(` - type wccp_client_packet_t; - ') - - allow $1 wccp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_wccp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send wccp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_wccp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wccp_client_packets'($*)) dnl - - gen_require(` - type wccp_client_packet_t; - ') - - dontaudit $1 wccp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wccp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive wccp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_wccp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_wccp_client_packets'($*)) dnl - - gen_require(` - type wccp_client_packet_t; - ') - - allow $1 wccp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_wccp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive wccp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_wccp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wccp_client_packets'($*)) dnl - - gen_require(` - type wccp_client_packet_t; - ') - - dontaudit $1 wccp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wccp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive wccp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_wccp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wccp_client_packets'($*)) dnl - - corenet_send_wccp_client_packets($1) - corenet_receive_wccp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wccp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive wccp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_wccp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wccp_client_packets'($*)) dnl - - corenet_dontaudit_send_wccp_client_packets($1) - corenet_dontaudit_receive_wccp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wccp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to wccp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_wccp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wccp_client_packets'($*)) dnl - - gen_require(` - type wccp_client_packet_t; - ') - - allow $1 wccp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_wccp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send wccp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_wccp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_wccp_server_packets'($*)) dnl - - gen_require(` - type wccp_server_packet_t; - ') - - allow $1 wccp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_wccp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send wccp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_wccp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wccp_server_packets'($*)) dnl - - gen_require(` - type wccp_server_packet_t; - ') - - dontaudit $1 wccp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wccp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive wccp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_wccp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_wccp_server_packets'($*)) dnl - - gen_require(` - type wccp_server_packet_t; - ') - - allow $1 wccp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_wccp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive wccp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_wccp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wccp_server_packets'($*)) dnl - - gen_require(` - type wccp_server_packet_t; - ') - - dontaudit $1 wccp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wccp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive wccp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_wccp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wccp_server_packets'($*)) dnl - - corenet_send_wccp_server_packets($1) - corenet_receive_wccp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wccp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive wccp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_wccp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wccp_server_packets'($*)) dnl - - corenet_dontaudit_send_wccp_server_packets($1) - corenet_dontaudit_receive_wccp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wccp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to wccp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_wccp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wccp_server_packets'($*)) dnl - - gen_require(` - type wccp_server_packet_t; - ') - - allow $1 wccp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_wccp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the websm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_websm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_websm_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the websm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_websm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_websm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the websm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_websm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_websm_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the websm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_websm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_websm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the websm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_websm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_websm_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the websm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_websm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_websm_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the websm port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_websm_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_websm_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the websm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_websm_port'($*)) dnl - - gen_require(` - type websm_port_t; - ') - - allow $1 websm_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_websm_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the websm port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_websm_port'($*)) dnl - - gen_require(` - type websm_port_t; - ') - - allow $1 websm_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_websm_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the websm port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_websm_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_websm_port'($*)) dnl - - gen_require(` - type websm_port_t; - ') - - allow $1 websm_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_websm_port'($*)) dnl - ') - - - -######################################## -## -## Send websm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_websm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_websm_client_packets'($*)) dnl - - gen_require(` - type websm_client_packet_t; - ') - - allow $1 websm_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_websm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send websm_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_websm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_websm_client_packets'($*)) dnl - - gen_require(` - type websm_client_packet_t; - ') - - dontaudit $1 websm_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_websm_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive websm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_websm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_websm_client_packets'($*)) dnl - - gen_require(` - type websm_client_packet_t; - ') - - allow $1 websm_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_websm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive websm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_websm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_websm_client_packets'($*)) dnl - - gen_require(` - type websm_client_packet_t; - ') - - dontaudit $1 websm_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_websm_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive websm_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_websm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_websm_client_packets'($*)) dnl - - corenet_send_websm_client_packets($1) - corenet_receive_websm_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_websm_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive websm_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_websm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_websm_client_packets'($*)) dnl - - corenet_dontaudit_send_websm_client_packets($1) - corenet_dontaudit_receive_websm_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_websm_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to websm_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_websm_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_websm_client_packets'($*)) dnl - - gen_require(` - type websm_client_packet_t; - ') - - allow $1 websm_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_websm_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send websm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_websm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_websm_server_packets'($*)) dnl - - gen_require(` - type websm_server_packet_t; - ') - - allow $1 websm_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_websm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send websm_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_websm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_websm_server_packets'($*)) dnl - - gen_require(` - type websm_server_packet_t; - ') - - dontaudit $1 websm_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_websm_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive websm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_websm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_websm_server_packets'($*)) dnl - - gen_require(` - type websm_server_packet_t; - ') - - allow $1 websm_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_websm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive websm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_websm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_websm_server_packets'($*)) dnl - - gen_require(` - type websm_server_packet_t; - ') - - dontaudit $1 websm_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_websm_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive websm_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_websm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_websm_server_packets'($*)) dnl - - corenet_send_websm_server_packets($1) - corenet_receive_websm_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_websm_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive websm_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_websm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_websm_server_packets'($*)) dnl - - corenet_dontaudit_send_websm_server_packets($1) - corenet_dontaudit_receive_websm_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_websm_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to websm_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_websm_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_websm_server_packets'($*)) dnl - - gen_require(` - type websm_server_packet_t; - ') - - allow $1 websm_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_websm_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the whois port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_whois_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_whois_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the whois port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_whois_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_whois_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the whois port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_whois_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_whois_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the whois port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_whois_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_whois_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the whois port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_whois_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_whois_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the whois port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_whois_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_whois_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the whois port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_whois_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_whois_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the whois port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_whois_port'($*)) dnl - - gen_require(` - type whois_port_t; - ') - - allow $1 whois_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_whois_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the whois port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_whois_port'($*)) dnl - - gen_require(` - type whois_port_t; - ') - - allow $1 whois_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_whois_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the whois port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_whois_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_whois_port'($*)) dnl - - gen_require(` - type whois_port_t; - ') - - allow $1 whois_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_whois_port'($*)) dnl - ') - - - -######################################## -## -## Send whois_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_whois_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_whois_client_packets'($*)) dnl - - gen_require(` - type whois_client_packet_t; - ') - - allow $1 whois_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_whois_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send whois_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_whois_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_whois_client_packets'($*)) dnl - - gen_require(` - type whois_client_packet_t; - ') - - dontaudit $1 whois_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_whois_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive whois_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_whois_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_whois_client_packets'($*)) dnl - - gen_require(` - type whois_client_packet_t; - ') - - allow $1 whois_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_whois_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive whois_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_whois_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_whois_client_packets'($*)) dnl - - gen_require(` - type whois_client_packet_t; - ') - - dontaudit $1 whois_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_whois_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive whois_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_whois_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_whois_client_packets'($*)) dnl - - corenet_send_whois_client_packets($1) - corenet_receive_whois_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_whois_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive whois_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_whois_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_whois_client_packets'($*)) dnl - - corenet_dontaudit_send_whois_client_packets($1) - corenet_dontaudit_receive_whois_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_whois_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to whois_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_whois_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_whois_client_packets'($*)) dnl - - gen_require(` - type whois_client_packet_t; - ') - - allow $1 whois_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_whois_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send whois_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_whois_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_whois_server_packets'($*)) dnl - - gen_require(` - type whois_server_packet_t; - ') - - allow $1 whois_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_whois_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send whois_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_whois_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_whois_server_packets'($*)) dnl - - gen_require(` - type whois_server_packet_t; - ') - - dontaudit $1 whois_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_whois_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive whois_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_whois_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_whois_server_packets'($*)) dnl - - gen_require(` - type whois_server_packet_t; - ') - - allow $1 whois_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_whois_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive whois_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_whois_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_whois_server_packets'($*)) dnl - - gen_require(` - type whois_server_packet_t; - ') - - dontaudit $1 whois_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_whois_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive whois_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_whois_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_whois_server_packets'($*)) dnl - - corenet_send_whois_server_packets($1) - corenet_receive_whois_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_whois_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive whois_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_whois_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_whois_server_packets'($*)) dnl - - corenet_dontaudit_send_whois_server_packets($1) - corenet_dontaudit_receive_whois_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_whois_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to whois_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_whois_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_whois_server_packets'($*)) dnl - - gen_require(` - type whois_server_packet_t; - ') - - allow $1 whois_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_whois_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the winshadow port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_winshadow_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the winshadow port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_winshadow_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the winshadow port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_winshadow_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the winshadow port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_winshadow_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the winshadow port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_winshadow_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the winshadow port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_winshadow_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the winshadow port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_winshadow_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the winshadow port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_winshadow_port'($*)) dnl - - gen_require(` - type winshadow_port_t; - ') - - allow $1 winshadow_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the winshadow port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_winshadow_port'($*)) dnl - - gen_require(` - type winshadow_port_t; - ') - - allow $1 winshadow_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_winshadow_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the winshadow port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_winshadow_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_winshadow_port'($*)) dnl - - gen_require(` - type winshadow_port_t; - ') - - allow $1 winshadow_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_winshadow_port'($*)) dnl - ') - - - -######################################## -## -## Send winshadow_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_winshadow_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_winshadow_client_packets'($*)) dnl - - gen_require(` - type winshadow_client_packet_t; - ') - - allow $1 winshadow_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_winshadow_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send winshadow_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_winshadow_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_winshadow_client_packets'($*)) dnl - - gen_require(` - type winshadow_client_packet_t; - ') - - dontaudit $1 winshadow_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_winshadow_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive winshadow_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_winshadow_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_winshadow_client_packets'($*)) dnl - - gen_require(` - type winshadow_client_packet_t; - ') - - allow $1 winshadow_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_winshadow_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive winshadow_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_winshadow_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_winshadow_client_packets'($*)) dnl - - gen_require(` - type winshadow_client_packet_t; - ') - - dontaudit $1 winshadow_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_winshadow_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive winshadow_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_winshadow_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_winshadow_client_packets'($*)) dnl - - corenet_send_winshadow_client_packets($1) - corenet_receive_winshadow_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_winshadow_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive winshadow_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_winshadow_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_winshadow_client_packets'($*)) dnl - - corenet_dontaudit_send_winshadow_client_packets($1) - corenet_dontaudit_receive_winshadow_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_winshadow_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to winshadow_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_winshadow_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_winshadow_client_packets'($*)) dnl - - gen_require(` - type winshadow_client_packet_t; - ') - - allow $1 winshadow_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_winshadow_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send winshadow_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_winshadow_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_winshadow_server_packets'($*)) dnl - - gen_require(` - type winshadow_server_packet_t; - ') - - allow $1 winshadow_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_winshadow_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send winshadow_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_winshadow_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_winshadow_server_packets'($*)) dnl - - gen_require(` - type winshadow_server_packet_t; - ') - - dontaudit $1 winshadow_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_winshadow_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive winshadow_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_winshadow_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_winshadow_server_packets'($*)) dnl - - gen_require(` - type winshadow_server_packet_t; - ') - - allow $1 winshadow_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_winshadow_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive winshadow_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_winshadow_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_winshadow_server_packets'($*)) dnl - - gen_require(` - type winshadow_server_packet_t; - ') - - dontaudit $1 winshadow_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_winshadow_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive winshadow_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_winshadow_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_winshadow_server_packets'($*)) dnl - - corenet_send_winshadow_server_packets($1) - corenet_receive_winshadow_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_winshadow_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive winshadow_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_winshadow_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_winshadow_server_packets'($*)) dnl - - corenet_dontaudit_send_winshadow_server_packets($1) - corenet_dontaudit_receive_winshadow_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_winshadow_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to winshadow_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_winshadow_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_winshadow_server_packets'($*)) dnl - - gen_require(` - type winshadow_server_packet_t; - ') - - allow $1 winshadow_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_winshadow_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the wsdapi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wsdapi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the wsdapi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wsdapi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the wsdapi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wsdapi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the wsdapi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wsdapi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the wsdapi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wsdapi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the wsdapi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wsdapi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the wsdapi port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wsdapi_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the wsdapi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wsdapi_port'($*)) dnl - - gen_require(` - type wsdapi_port_t; - ') - - allow $1 wsdapi_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the wsdapi port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wsdapi_port'($*)) dnl - - gen_require(` - type wsdapi_port_t; - ') - - allow $1 wsdapi_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wsdapi_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the wsdapi port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_wsdapi_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wsdapi_port'($*)) dnl - - gen_require(` - type wsdapi_port_t; - ') - - allow $1 wsdapi_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wsdapi_port'($*)) dnl - ') - - - -######################################## -## -## Send wsdapi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_wsdapi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_wsdapi_client_packets'($*)) dnl - - gen_require(` - type wsdapi_client_packet_t; - ') - - allow $1 wsdapi_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_wsdapi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send wsdapi_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_wsdapi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsdapi_client_packets'($*)) dnl - - gen_require(` - type wsdapi_client_packet_t; - ') - - dontaudit $1 wsdapi_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsdapi_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive wsdapi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_wsdapi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_wsdapi_client_packets'($*)) dnl - - gen_require(` - type wsdapi_client_packet_t; - ') - - allow $1 wsdapi_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_wsdapi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive wsdapi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_wsdapi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsdapi_client_packets'($*)) dnl - - gen_require(` - type wsdapi_client_packet_t; - ') - - dontaudit $1 wsdapi_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsdapi_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive wsdapi_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_wsdapi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsdapi_client_packets'($*)) dnl - - corenet_send_wsdapi_client_packets($1) - corenet_receive_wsdapi_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsdapi_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive wsdapi_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_wsdapi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsdapi_client_packets'($*)) dnl - - corenet_dontaudit_send_wsdapi_client_packets($1) - corenet_dontaudit_receive_wsdapi_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsdapi_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to wsdapi_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_wsdapi_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsdapi_client_packets'($*)) dnl - - gen_require(` - type wsdapi_client_packet_t; - ') - - allow $1 wsdapi_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsdapi_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send wsdapi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_wsdapi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_wsdapi_server_packets'($*)) dnl - - gen_require(` - type wsdapi_server_packet_t; - ') - - allow $1 wsdapi_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_wsdapi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send wsdapi_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_wsdapi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsdapi_server_packets'($*)) dnl - - gen_require(` - type wsdapi_server_packet_t; - ') - - dontaudit $1 wsdapi_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsdapi_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive wsdapi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_wsdapi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_wsdapi_server_packets'($*)) dnl - - gen_require(` - type wsdapi_server_packet_t; - ') - - allow $1 wsdapi_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_wsdapi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive wsdapi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_wsdapi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsdapi_server_packets'($*)) dnl - - gen_require(` - type wsdapi_server_packet_t; - ') - - dontaudit $1 wsdapi_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsdapi_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive wsdapi_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_wsdapi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsdapi_server_packets'($*)) dnl - - corenet_send_wsdapi_server_packets($1) - corenet_receive_wsdapi_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsdapi_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive wsdapi_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_wsdapi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsdapi_server_packets'($*)) dnl - - corenet_dontaudit_send_wsdapi_server_packets($1) - corenet_dontaudit_receive_wsdapi_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsdapi_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to wsdapi_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_wsdapi_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsdapi_server_packets'($*)) dnl - - gen_require(` - type wsdapi_server_packet_t; - ') - - allow $1 wsdapi_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsdapi_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the wsicopy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wsicopy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the wsicopy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wsicopy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the wsicopy port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wsicopy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the wsicopy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wsicopy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the wsicopy port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wsicopy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the wsicopy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wsicopy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the wsicopy port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wsicopy_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the wsicopy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wsicopy_port'($*)) dnl - - gen_require(` - type wsicopy_port_t; - ') - - allow $1 wsicopy_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the wsicopy port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wsicopy_port'($*)) dnl - - gen_require(` - type wsicopy_port_t; - ') - - allow $1 wsicopy_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wsicopy_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the wsicopy port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_wsicopy_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wsicopy_port'($*)) dnl - - gen_require(` - type wsicopy_port_t; - ') - - allow $1 wsicopy_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wsicopy_port'($*)) dnl - ') - - - -######################################## -## -## Send wsicopy_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_wsicopy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_wsicopy_client_packets'($*)) dnl - - gen_require(` - type wsicopy_client_packet_t; - ') - - allow $1 wsicopy_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_wsicopy_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send wsicopy_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_wsicopy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsicopy_client_packets'($*)) dnl - - gen_require(` - type wsicopy_client_packet_t; - ') - - dontaudit $1 wsicopy_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsicopy_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive wsicopy_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_wsicopy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_wsicopy_client_packets'($*)) dnl - - gen_require(` - type wsicopy_client_packet_t; - ') - - allow $1 wsicopy_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_wsicopy_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive wsicopy_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_wsicopy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsicopy_client_packets'($*)) dnl - - gen_require(` - type wsicopy_client_packet_t; - ') - - dontaudit $1 wsicopy_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsicopy_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive wsicopy_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_wsicopy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsicopy_client_packets'($*)) dnl - - corenet_send_wsicopy_client_packets($1) - corenet_receive_wsicopy_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsicopy_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive wsicopy_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_wsicopy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsicopy_client_packets'($*)) dnl - - corenet_dontaudit_send_wsicopy_client_packets($1) - corenet_dontaudit_receive_wsicopy_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsicopy_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to wsicopy_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_wsicopy_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsicopy_client_packets'($*)) dnl - - gen_require(` - type wsicopy_client_packet_t; - ') - - allow $1 wsicopy_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsicopy_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send wsicopy_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_wsicopy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_wsicopy_server_packets'($*)) dnl - - gen_require(` - type wsicopy_server_packet_t; - ') - - allow $1 wsicopy_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_wsicopy_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send wsicopy_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_wsicopy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsicopy_server_packets'($*)) dnl - - gen_require(` - type wsicopy_server_packet_t; - ') - - dontaudit $1 wsicopy_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsicopy_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive wsicopy_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_wsicopy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_wsicopy_server_packets'($*)) dnl - - gen_require(` - type wsicopy_server_packet_t; - ') - - allow $1 wsicopy_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_wsicopy_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive wsicopy_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_wsicopy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsicopy_server_packets'($*)) dnl - - gen_require(` - type wsicopy_server_packet_t; - ') - - dontaudit $1 wsicopy_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsicopy_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive wsicopy_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_wsicopy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsicopy_server_packets'($*)) dnl - - corenet_send_wsicopy_server_packets($1) - corenet_receive_wsicopy_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsicopy_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive wsicopy_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_wsicopy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsicopy_server_packets'($*)) dnl - - corenet_dontaudit_send_wsicopy_server_packets($1) - corenet_dontaudit_receive_wsicopy_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsicopy_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to wsicopy_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_wsicopy_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsicopy_server_packets'($*)) dnl - - gen_require(` - type wsicopy_server_packet_t; - ') - - allow $1 wsicopy_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsicopy_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the xdmcp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xdmcp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the xdmcp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xdmcp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the xdmcp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xdmcp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the xdmcp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xdmcp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the xdmcp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xdmcp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the xdmcp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xdmcp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the xdmcp port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xdmcp_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the xdmcp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xdmcp_port'($*)) dnl - - gen_require(` - type xdmcp_port_t; - ') - - allow $1 xdmcp_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the xdmcp port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xdmcp_port'($*)) dnl - - gen_require(` - type xdmcp_port_t; - ') - - allow $1 xdmcp_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xdmcp_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the xdmcp port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_xdmcp_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xdmcp_port'($*)) dnl - - gen_require(` - type xdmcp_port_t; - ') - - allow $1 xdmcp_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xdmcp_port'($*)) dnl - ') - - - -######################################## -## -## Send xdmcp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_xdmcp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_xdmcp_client_packets'($*)) dnl - - gen_require(` - type xdmcp_client_packet_t; - ') - - allow $1 xdmcp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_xdmcp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send xdmcp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_xdmcp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xdmcp_client_packets'($*)) dnl - - gen_require(` - type xdmcp_client_packet_t; - ') - - dontaudit $1 xdmcp_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xdmcp_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive xdmcp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_xdmcp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_xdmcp_client_packets'($*)) dnl - - gen_require(` - type xdmcp_client_packet_t; - ') - - allow $1 xdmcp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_xdmcp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive xdmcp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_xdmcp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xdmcp_client_packets'($*)) dnl - - gen_require(` - type xdmcp_client_packet_t; - ') - - dontaudit $1 xdmcp_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xdmcp_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive xdmcp_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_xdmcp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xdmcp_client_packets'($*)) dnl - - corenet_send_xdmcp_client_packets($1) - corenet_receive_xdmcp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xdmcp_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive xdmcp_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_xdmcp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xdmcp_client_packets'($*)) dnl - - corenet_dontaudit_send_xdmcp_client_packets($1) - corenet_dontaudit_receive_xdmcp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xdmcp_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to xdmcp_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_xdmcp_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xdmcp_client_packets'($*)) dnl - - gen_require(` - type xdmcp_client_packet_t; - ') - - allow $1 xdmcp_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_xdmcp_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send xdmcp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_xdmcp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_xdmcp_server_packets'($*)) dnl - - gen_require(` - type xdmcp_server_packet_t; - ') - - allow $1 xdmcp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_xdmcp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send xdmcp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_xdmcp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xdmcp_server_packets'($*)) dnl - - gen_require(` - type xdmcp_server_packet_t; - ') - - dontaudit $1 xdmcp_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xdmcp_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive xdmcp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_xdmcp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_xdmcp_server_packets'($*)) dnl - - gen_require(` - type xdmcp_server_packet_t; - ') - - allow $1 xdmcp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_xdmcp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive xdmcp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_xdmcp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xdmcp_server_packets'($*)) dnl - - gen_require(` - type xdmcp_server_packet_t; - ') - - dontaudit $1 xdmcp_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xdmcp_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive xdmcp_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_xdmcp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xdmcp_server_packets'($*)) dnl - - corenet_send_xdmcp_server_packets($1) - corenet_receive_xdmcp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xdmcp_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive xdmcp_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_xdmcp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xdmcp_server_packets'($*)) dnl - - corenet_dontaudit_send_xdmcp_server_packets($1) - corenet_dontaudit_receive_xdmcp_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xdmcp_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to xdmcp_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_xdmcp_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xdmcp_server_packets'($*)) dnl - - gen_require(` - type xdmcp_server_packet_t; - ') - - allow $1 xdmcp_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_xdmcp_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the xen port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xen_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xen_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the xen port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xen_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_xen_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the xen port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xen_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xen_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the xen port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xen_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xen_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the xen port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xen_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xen_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the xen port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xen_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xen_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the xen port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xen_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xen_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the xen port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xen_port'($*)) dnl - - gen_require(` - type xen_port_t; - ') - - allow $1 xen_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xen_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the xen port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xen_port'($*)) dnl - - gen_require(` - type xen_port_t; - ') - - allow $1 xen_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xen_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the xen port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_xen_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xen_port'($*)) dnl - - gen_require(` - type xen_port_t; - ') - - allow $1 xen_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xen_port'($*)) dnl - ') - - - -######################################## -## -## Send xen_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_xen_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_xen_client_packets'($*)) dnl - - gen_require(` - type xen_client_packet_t; - ') - - allow $1 xen_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_xen_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send xen_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_xen_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xen_client_packets'($*)) dnl - - gen_require(` - type xen_client_packet_t; - ') - - dontaudit $1 xen_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xen_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive xen_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_xen_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_xen_client_packets'($*)) dnl - - gen_require(` - type xen_client_packet_t; - ') - - allow $1 xen_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_xen_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive xen_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_xen_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xen_client_packets'($*)) dnl - - gen_require(` - type xen_client_packet_t; - ') - - dontaudit $1 xen_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xen_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive xen_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_xen_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xen_client_packets'($*)) dnl - - corenet_send_xen_client_packets($1) - corenet_receive_xen_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xen_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive xen_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_xen_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xen_client_packets'($*)) dnl - - corenet_dontaudit_send_xen_client_packets($1) - corenet_dontaudit_receive_xen_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xen_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to xen_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_xen_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xen_client_packets'($*)) dnl - - gen_require(` - type xen_client_packet_t; - ') - - allow $1 xen_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_xen_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send xen_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_xen_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_xen_server_packets'($*)) dnl - - gen_require(` - type xen_server_packet_t; - ') - - allow $1 xen_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_xen_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send xen_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_xen_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xen_server_packets'($*)) dnl - - gen_require(` - type xen_server_packet_t; - ') - - dontaudit $1 xen_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xen_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive xen_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_xen_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_xen_server_packets'($*)) dnl - - gen_require(` - type xen_server_packet_t; - ') - - allow $1 xen_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_xen_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive xen_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_xen_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xen_server_packets'($*)) dnl - - gen_require(` - type xen_server_packet_t; - ') - - dontaudit $1 xen_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xen_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive xen_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_xen_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xen_server_packets'($*)) dnl - - corenet_send_xen_server_packets($1) - corenet_receive_xen_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xen_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive xen_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_xen_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xen_server_packets'($*)) dnl - - corenet_dontaudit_send_xen_server_packets($1) - corenet_dontaudit_receive_xen_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xen_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to xen_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_xen_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xen_server_packets'($*)) dnl - - gen_require(` - type xen_server_packet_t; - ') - - allow $1 xen_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_xen_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the xfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xfs_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the xfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_xfs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the xfs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xfs_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the xfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xfs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the xfs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xfs_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the xfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xfs_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the xfs port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xfs_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xfs_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the xfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xfs_port'($*)) dnl - - gen_require(` - type xfs_port_t; - ') - - allow $1 xfs_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xfs_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the xfs port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xfs_port'($*)) dnl - - gen_require(` - type xfs_port_t; - ') - - allow $1 xfs_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xfs_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the xfs port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_xfs_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xfs_port'($*)) dnl - - gen_require(` - type xfs_port_t; - ') - - allow $1 xfs_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xfs_port'($*)) dnl - ') - - - -######################################## -## -## Send xfs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_xfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_xfs_client_packets'($*)) dnl - - gen_require(` - type xfs_client_packet_t; - ') - - allow $1 xfs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_xfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send xfs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_xfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xfs_client_packets'($*)) dnl - - gen_require(` - type xfs_client_packet_t; - ') - - dontaudit $1 xfs_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive xfs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_xfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_xfs_client_packets'($*)) dnl - - gen_require(` - type xfs_client_packet_t; - ') - - allow $1 xfs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_xfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive xfs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_xfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xfs_client_packets'($*)) dnl - - gen_require(` - type xfs_client_packet_t; - ') - - dontaudit $1 xfs_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive xfs_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_xfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xfs_client_packets'($*)) dnl - - corenet_send_xfs_client_packets($1) - corenet_receive_xfs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive xfs_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_xfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xfs_client_packets'($*)) dnl - - corenet_dontaudit_send_xfs_client_packets($1) - corenet_dontaudit_receive_xfs_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xfs_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to xfs_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_xfs_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xfs_client_packets'($*)) dnl - - gen_require(` - type xfs_client_packet_t; - ') - - allow $1 xfs_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_xfs_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send xfs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_xfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_xfs_server_packets'($*)) dnl - - gen_require(` - type xfs_server_packet_t; - ') - - allow $1 xfs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_xfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send xfs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_xfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xfs_server_packets'($*)) dnl - - gen_require(` - type xfs_server_packet_t; - ') - - dontaudit $1 xfs_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive xfs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_xfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_xfs_server_packets'($*)) dnl - - gen_require(` - type xfs_server_packet_t; - ') - - allow $1 xfs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_xfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive xfs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_xfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xfs_server_packets'($*)) dnl - - gen_require(` - type xfs_server_packet_t; - ') - - dontaudit $1 xfs_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive xfs_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_xfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xfs_server_packets'($*)) dnl - - corenet_send_xfs_server_packets($1) - corenet_receive_xfs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive xfs_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_xfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xfs_server_packets'($*)) dnl - - corenet_dontaudit_send_xfs_server_packets($1) - corenet_dontaudit_receive_xfs_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xfs_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to xfs_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_xfs_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xfs_server_packets'($*)) dnl - - gen_require(` - type xfs_server_packet_t; - ') - - allow $1 xfs_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_xfs_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the xserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xserver_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the xserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_xserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the xserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xserver_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the xserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the xserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xserver_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the xserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xserver_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the xserver port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xserver_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xserver_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the xserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xserver_port'($*)) dnl - - gen_require(` - type xserver_port_t; - ') - - allow $1 xserver_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xserver_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the xserver port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xserver_port'($*)) dnl - - gen_require(` - type xserver_port_t; - ') - - allow $1 xserver_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xserver_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the xserver port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_xserver_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xserver_port'($*)) dnl - - gen_require(` - type xserver_port_t; - ') - - allow $1 xserver_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xserver_port'($*)) dnl - ') - - - -######################################## -## -## Send xserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_xserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_xserver_client_packets'($*)) dnl - - gen_require(` - type xserver_client_packet_t; - ') - - allow $1 xserver_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_xserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send xserver_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_xserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xserver_client_packets'($*)) dnl - - gen_require(` - type xserver_client_packet_t; - ') - - dontaudit $1 xserver_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive xserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_xserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_xserver_client_packets'($*)) dnl - - gen_require(` - type xserver_client_packet_t; - ') - - allow $1 xserver_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_xserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive xserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_xserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xserver_client_packets'($*)) dnl - - gen_require(` - type xserver_client_packet_t; - ') - - dontaudit $1 xserver_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive xserver_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_xserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xserver_client_packets'($*)) dnl - - corenet_send_xserver_client_packets($1) - corenet_receive_xserver_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive xserver_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_xserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xserver_client_packets'($*)) dnl - - corenet_dontaudit_send_xserver_client_packets($1) - corenet_dontaudit_receive_xserver_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xserver_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to xserver_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_xserver_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xserver_client_packets'($*)) dnl - - gen_require(` - type xserver_client_packet_t; - ') - - allow $1 xserver_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_xserver_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send xserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_xserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_xserver_server_packets'($*)) dnl - - gen_require(` - type xserver_server_packet_t; - ') - - allow $1 xserver_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_xserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send xserver_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_xserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xserver_server_packets'($*)) dnl - - gen_require(` - type xserver_server_packet_t; - ') - - dontaudit $1 xserver_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive xserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_xserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_xserver_server_packets'($*)) dnl - - gen_require(` - type xserver_server_packet_t; - ') - - allow $1 xserver_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_xserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive xserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_xserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xserver_server_packets'($*)) dnl - - gen_require(` - type xserver_server_packet_t; - ') - - dontaudit $1 xserver_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive xserver_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_xserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xserver_server_packets'($*)) dnl - - corenet_send_xserver_server_packets($1) - corenet_receive_xserver_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive xserver_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_xserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xserver_server_packets'($*)) dnl - - corenet_dontaudit_send_xserver_server_packets($1) - corenet_dontaudit_receive_xserver_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xserver_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to xserver_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_xserver_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xserver_server_packets'($*)) dnl - - gen_require(` - type xserver_server_packet_t; - ') - - allow $1 xserver_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_xserver_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zarafa port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zarafa_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zarafa port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zarafa_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zarafa port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zarafa_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zarafa port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zarafa_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zarafa port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zarafa_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zarafa port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zarafa_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zarafa port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zarafa_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zarafa port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zarafa_port'($*)) dnl - - gen_require(` - type zarafa_port_t; - ') - - allow $1 zarafa_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zarafa port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zarafa_port'($*)) dnl - - gen_require(` - type zarafa_port_t; - ') - - allow $1 zarafa_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zarafa_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zarafa port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zarafa_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zarafa_port'($*)) dnl - - gen_require(` - type zarafa_port_t; - ') - - allow $1 zarafa_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zarafa_port'($*)) dnl - ') - - - -######################################## -## -## Send zarafa_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zarafa_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zarafa_client_packets'($*)) dnl - - gen_require(` - type zarafa_client_packet_t; - ') - - allow $1 zarafa_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zarafa_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zarafa_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zarafa_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zarafa_client_packets'($*)) dnl - - gen_require(` - type zarafa_client_packet_t; - ') - - dontaudit $1 zarafa_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zarafa_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zarafa_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zarafa_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zarafa_client_packets'($*)) dnl - - gen_require(` - type zarafa_client_packet_t; - ') - - allow $1 zarafa_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zarafa_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zarafa_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zarafa_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zarafa_client_packets'($*)) dnl - - gen_require(` - type zarafa_client_packet_t; - ') - - dontaudit $1 zarafa_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zarafa_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zarafa_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zarafa_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zarafa_client_packets'($*)) dnl - - corenet_send_zarafa_client_packets($1) - corenet_receive_zarafa_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zarafa_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zarafa_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zarafa_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zarafa_client_packets'($*)) dnl - - corenet_dontaudit_send_zarafa_client_packets($1) - corenet_dontaudit_receive_zarafa_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zarafa_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zarafa_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zarafa_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zarafa_client_packets'($*)) dnl - - gen_require(` - type zarafa_client_packet_t; - ') - - allow $1 zarafa_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zarafa_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zarafa_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zarafa_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zarafa_server_packets'($*)) dnl - - gen_require(` - type zarafa_server_packet_t; - ') - - allow $1 zarafa_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zarafa_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zarafa_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zarafa_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zarafa_server_packets'($*)) dnl - - gen_require(` - type zarafa_server_packet_t; - ') - - dontaudit $1 zarafa_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zarafa_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zarafa_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zarafa_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zarafa_server_packets'($*)) dnl - - gen_require(` - type zarafa_server_packet_t; - ') - - allow $1 zarafa_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zarafa_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zarafa_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zarafa_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zarafa_server_packets'($*)) dnl - - gen_require(` - type zarafa_server_packet_t; - ') - - dontaudit $1 zarafa_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zarafa_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zarafa_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zarafa_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zarafa_server_packets'($*)) dnl - - corenet_send_zarafa_server_packets($1) - corenet_receive_zarafa_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zarafa_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zarafa_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zarafa_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zarafa_server_packets'($*)) dnl - - corenet_dontaudit_send_zarafa_server_packets($1) - corenet_dontaudit_receive_zarafa_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zarafa_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zarafa_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zarafa_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zarafa_server_packets'($*)) dnl - - gen_require(` - type zarafa_server_packet_t; - ') - - allow $1 zarafa_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zarafa_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zabbix port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zabbix_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zabbix port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zabbix_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zabbix port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zabbix_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zabbix port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zabbix_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zabbix port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zabbix_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zabbix port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zabbix_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zabbix port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zabbix_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zabbix port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zabbix_port'($*)) dnl - - gen_require(` - type zabbix_port_t; - ') - - allow $1 zabbix_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zabbix port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zabbix_port'($*)) dnl - - gen_require(` - type zabbix_port_t; - ') - - allow $1 zabbix_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zabbix_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zabbix port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zabbix_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zabbix_port'($*)) dnl - - gen_require(` - type zabbix_port_t; - ') - - allow $1 zabbix_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zabbix_port'($*)) dnl - ') - - - -######################################## -## -## Send zabbix_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zabbix_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_client_packets'($*)) dnl - - gen_require(` - type zabbix_client_packet_t; - ') - - allow $1 zabbix_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zabbix_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zabbix_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_client_packets'($*)) dnl - - gen_require(` - type zabbix_client_packet_t; - ') - - dontaudit $1 zabbix_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zabbix_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zabbix_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_client_packets'($*)) dnl - - gen_require(` - type zabbix_client_packet_t; - ') - - allow $1 zabbix_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zabbix_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zabbix_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_client_packets'($*)) dnl - - gen_require(` - type zabbix_client_packet_t; - ') - - dontaudit $1 zabbix_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zabbix_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zabbix_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_client_packets'($*)) dnl - - corenet_send_zabbix_client_packets($1) - corenet_receive_zabbix_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zabbix_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zabbix_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_client_packets'($*)) dnl - - corenet_dontaudit_send_zabbix_client_packets($1) - corenet_dontaudit_receive_zabbix_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zabbix_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zabbix_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_client_packets'($*)) dnl - - gen_require(` - type zabbix_client_packet_t; - ') - - allow $1 zabbix_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zabbix_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zabbix_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_server_packets'($*)) dnl - - gen_require(` - type zabbix_server_packet_t; - ') - - allow $1 zabbix_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zabbix_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zabbix_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_server_packets'($*)) dnl - - gen_require(` - type zabbix_server_packet_t; - ') - - dontaudit $1 zabbix_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zabbix_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zabbix_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_server_packets'($*)) dnl - - gen_require(` - type zabbix_server_packet_t; - ') - - allow $1 zabbix_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zabbix_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zabbix_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_server_packets'($*)) dnl - - gen_require(` - type zabbix_server_packet_t; - ') - - dontaudit $1 zabbix_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zabbix_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zabbix_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_server_packets'($*)) dnl - - corenet_send_zabbix_server_packets($1) - corenet_receive_zabbix_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zabbix_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zabbix_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_server_packets'($*)) dnl - - corenet_dontaudit_send_zabbix_server_packets($1) - corenet_dontaudit_receive_zabbix_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zabbix_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zabbix_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_server_packets'($*)) dnl - - gen_require(` - type zabbix_server_packet_t; - ') - - allow $1 zabbix_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zabbix_agent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zabbix_agent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zabbix_agent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zabbix_agent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zabbix_agent port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zabbix_agent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zabbix_agent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zabbix_agent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zabbix_agent port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zabbix_agent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zabbix_agent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zabbix_agent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zabbix_agent port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zabbix_agent_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zabbix_agent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zabbix_agent_port'($*)) dnl - - gen_require(` - type zabbix_agent_port_t; - ') - - allow $1 zabbix_agent_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zabbix_agent port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zabbix_agent_port'($*)) dnl - - gen_require(` - type zabbix_agent_port_t; - ') - - allow $1 zabbix_agent_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zabbix_agent_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zabbix_agent port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zabbix_agent_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zabbix_agent_port'($*)) dnl - - gen_require(` - type zabbix_agent_port_t; - ') - - allow $1 zabbix_agent_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zabbix_agent_port'($*)) dnl - ') - - - -######################################## -## -## Send zabbix_agent_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zabbix_agent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_agent_client_packets'($*)) dnl - - gen_require(` - type zabbix_agent_client_packet_t; - ') - - allow $1 zabbix_agent_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_agent_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zabbix_agent_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zabbix_agent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_agent_client_packets'($*)) dnl - - gen_require(` - type zabbix_agent_client_packet_t; - ') - - dontaudit $1 zabbix_agent_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_agent_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zabbix_agent_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zabbix_agent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_agent_client_packets'($*)) dnl - - gen_require(` - type zabbix_agent_client_packet_t; - ') - - allow $1 zabbix_agent_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_agent_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zabbix_agent_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zabbix_agent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_agent_client_packets'($*)) dnl - - gen_require(` - type zabbix_agent_client_packet_t; - ') - - dontaudit $1 zabbix_agent_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_agent_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zabbix_agent_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zabbix_agent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_agent_client_packets'($*)) dnl - - corenet_send_zabbix_agent_client_packets($1) - corenet_receive_zabbix_agent_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_agent_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zabbix_agent_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zabbix_agent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_agent_client_packets'($*)) dnl - - corenet_dontaudit_send_zabbix_agent_client_packets($1) - corenet_dontaudit_receive_zabbix_agent_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_agent_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zabbix_agent_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zabbix_agent_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_agent_client_packets'($*)) dnl - - gen_require(` - type zabbix_agent_client_packet_t; - ') - - allow $1 zabbix_agent_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_agent_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zabbix_agent_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zabbix_agent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_agent_server_packets'($*)) dnl - - gen_require(` - type zabbix_agent_server_packet_t; - ') - - allow $1 zabbix_agent_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_agent_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zabbix_agent_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zabbix_agent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_agent_server_packets'($*)) dnl - - gen_require(` - type zabbix_agent_server_packet_t; - ') - - dontaudit $1 zabbix_agent_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_agent_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zabbix_agent_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zabbix_agent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_agent_server_packets'($*)) dnl - - gen_require(` - type zabbix_agent_server_packet_t; - ') - - allow $1 zabbix_agent_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_agent_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zabbix_agent_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zabbix_agent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_agent_server_packets'($*)) dnl - - gen_require(` - type zabbix_agent_server_packet_t; - ') - - dontaudit $1 zabbix_agent_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_agent_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zabbix_agent_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zabbix_agent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_agent_server_packets'($*)) dnl - - corenet_send_zabbix_agent_server_packets($1) - corenet_receive_zabbix_agent_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_agent_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zabbix_agent_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zabbix_agent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_agent_server_packets'($*)) dnl - - corenet_dontaudit_send_zabbix_agent_server_packets($1) - corenet_dontaudit_receive_zabbix_agent_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_agent_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zabbix_agent_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zabbix_agent_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_agent_server_packets'($*)) dnl - - gen_require(` - type zabbix_agent_server_packet_t; - ') - - allow $1 zabbix_agent_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_agent_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zookeeper_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zookeeper_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zookeeper_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zookeeper_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zookeeper_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zookeeper_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zookeeper_client port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_client_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zookeeper_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_client_port'($*)) dnl - - gen_require(` - type zookeeper_client_port_t; - ') - - allow $1 zookeeper_client_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zookeeper_client port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_client_port'($*)) dnl - - gen_require(` - type zookeeper_client_port_t; - ') - - allow $1 zookeeper_client_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_client_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zookeeper_client port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zookeeper_client_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_client_port'($*)) dnl - - gen_require(` - type zookeeper_client_port_t; - ') - - allow $1 zookeeper_client_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_client_port'($*)) dnl - ') - - - -######################################## -## -## Send zookeeper_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zookeeper_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_client_client_packets'($*)) dnl - - gen_require(` - type zookeeper_client_client_packet_t; - ') - - allow $1 zookeeper_client_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zookeeper_client_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zookeeper_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_client_client_packets'($*)) dnl - - gen_require(` - type zookeeper_client_client_packet_t; - ') - - dontaudit $1 zookeeper_client_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zookeeper_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zookeeper_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_client_client_packets'($*)) dnl - - gen_require(` - type zookeeper_client_client_packet_t; - ') - - allow $1 zookeeper_client_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zookeeper_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zookeeper_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_client_client_packets'($*)) dnl - - gen_require(` - type zookeeper_client_client_packet_t; - ') - - dontaudit $1 zookeeper_client_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zookeeper_client_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zookeeper_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_client_client_packets'($*)) dnl - - corenet_send_zookeeper_client_client_packets($1) - corenet_receive_zookeeper_client_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zookeeper_client_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zookeeper_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_client_client_packets'($*)) dnl - - corenet_dontaudit_send_zookeeper_client_client_packets($1) - corenet_dontaudit_receive_zookeeper_client_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_client_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zookeeper_client_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zookeeper_client_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_client_client_packets'($*)) dnl - - gen_require(` - type zookeeper_client_client_packet_t; - ') - - allow $1 zookeeper_client_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_client_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zookeeper_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zookeeper_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_client_server_packets'($*)) dnl - - gen_require(` - type zookeeper_client_server_packet_t; - ') - - allow $1 zookeeper_client_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zookeeper_client_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zookeeper_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_client_server_packets'($*)) dnl - - gen_require(` - type zookeeper_client_server_packet_t; - ') - - dontaudit $1 zookeeper_client_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zookeeper_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zookeeper_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_client_server_packets'($*)) dnl - - gen_require(` - type zookeeper_client_server_packet_t; - ') - - allow $1 zookeeper_client_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zookeeper_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zookeeper_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_client_server_packets'($*)) dnl - - gen_require(` - type zookeeper_client_server_packet_t; - ') - - dontaudit $1 zookeeper_client_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zookeeper_client_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zookeeper_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_client_server_packets'($*)) dnl - - corenet_send_zookeeper_client_server_packets($1) - corenet_receive_zookeeper_client_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zookeeper_client_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zookeeper_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_client_server_packets'($*)) dnl - - corenet_dontaudit_send_zookeeper_client_server_packets($1) - corenet_dontaudit_receive_zookeeper_client_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_client_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zookeeper_client_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zookeeper_client_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_client_server_packets'($*)) dnl - - gen_require(` - type zookeeper_client_server_packet_t; - ') - - allow $1 zookeeper_client_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_client_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zookeeper_election port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_election_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zookeeper_election port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_election_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zookeeper_election port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_election_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zookeeper_election port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_election_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zookeeper_election port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_election_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zookeeper_election port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_election_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zookeeper_election port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_election_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zookeeper_election port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_election_port'($*)) dnl - - gen_require(` - type zookeeper_election_port_t; - ') - - allow $1 zookeeper_election_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zookeeper_election port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_election_port'($*)) dnl - - gen_require(` - type zookeeper_election_port_t; - ') - - allow $1 zookeeper_election_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_election_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zookeeper_election port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zookeeper_election_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_election_port'($*)) dnl - - gen_require(` - type zookeeper_election_port_t; - ') - - allow $1 zookeeper_election_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_election_port'($*)) dnl - ') - - - -######################################## -## -## Send zookeeper_election_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zookeeper_election_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_election_client_packets'($*)) dnl - - gen_require(` - type zookeeper_election_client_packet_t; - ') - - allow $1 zookeeper_election_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_election_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zookeeper_election_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zookeeper_election_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_election_client_packets'($*)) dnl - - gen_require(` - type zookeeper_election_client_packet_t; - ') - - dontaudit $1 zookeeper_election_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_election_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zookeeper_election_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zookeeper_election_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_election_client_packets'($*)) dnl - - gen_require(` - type zookeeper_election_client_packet_t; - ') - - allow $1 zookeeper_election_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_election_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zookeeper_election_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zookeeper_election_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_election_client_packets'($*)) dnl - - gen_require(` - type zookeeper_election_client_packet_t; - ') - - dontaudit $1 zookeeper_election_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_election_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zookeeper_election_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zookeeper_election_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_election_client_packets'($*)) dnl - - corenet_send_zookeeper_election_client_packets($1) - corenet_receive_zookeeper_election_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_election_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zookeeper_election_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zookeeper_election_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_election_client_packets'($*)) dnl - - corenet_dontaudit_send_zookeeper_election_client_packets($1) - corenet_dontaudit_receive_zookeeper_election_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_election_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zookeeper_election_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zookeeper_election_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_election_client_packets'($*)) dnl - - gen_require(` - type zookeeper_election_client_packet_t; - ') - - allow $1 zookeeper_election_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_election_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zookeeper_election_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zookeeper_election_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_election_server_packets'($*)) dnl - - gen_require(` - type zookeeper_election_server_packet_t; - ') - - allow $1 zookeeper_election_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_election_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zookeeper_election_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zookeeper_election_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_election_server_packets'($*)) dnl - - gen_require(` - type zookeeper_election_server_packet_t; - ') - - dontaudit $1 zookeeper_election_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_election_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zookeeper_election_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zookeeper_election_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_election_server_packets'($*)) dnl - - gen_require(` - type zookeeper_election_server_packet_t; - ') - - allow $1 zookeeper_election_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_election_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zookeeper_election_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zookeeper_election_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_election_server_packets'($*)) dnl - - gen_require(` - type zookeeper_election_server_packet_t; - ') - - dontaudit $1 zookeeper_election_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_election_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zookeeper_election_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zookeeper_election_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_election_server_packets'($*)) dnl - - corenet_send_zookeeper_election_server_packets($1) - corenet_receive_zookeeper_election_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_election_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zookeeper_election_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zookeeper_election_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_election_server_packets'($*)) dnl - - corenet_dontaudit_send_zookeeper_election_server_packets($1) - corenet_dontaudit_receive_zookeeper_election_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_election_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zookeeper_election_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zookeeper_election_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_election_server_packets'($*)) dnl - - gen_require(` - type zookeeper_election_server_packet_t; - ') - - allow $1 zookeeper_election_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_election_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zookeeper_leader port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_leader_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zookeeper_leader port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_leader_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zookeeper_leader port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_leader_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zookeeper_leader port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_leader_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zookeeper_leader port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_leader_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zookeeper_leader port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_leader_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zookeeper_leader port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_leader_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zookeeper_leader port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_leader_port'($*)) dnl - - gen_require(` - type zookeeper_leader_port_t; - ') - - allow $1 zookeeper_leader_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zookeeper_leader port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_leader_port'($*)) dnl - - gen_require(` - type zookeeper_leader_port_t; - ') - - allow $1 zookeeper_leader_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_leader_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zookeeper_leader port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zookeeper_leader_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_leader_port'($*)) dnl - - gen_require(` - type zookeeper_leader_port_t; - ') - - allow $1 zookeeper_leader_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_leader_port'($*)) dnl - ') - - - -######################################## -## -## Send zookeeper_leader_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zookeeper_leader_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_leader_client_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_client_packet_t; - ') - - allow $1 zookeeper_leader_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_leader_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zookeeper_leader_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zookeeper_leader_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_leader_client_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_client_packet_t; - ') - - dontaudit $1 zookeeper_leader_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_leader_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zookeeper_leader_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zookeeper_leader_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_leader_client_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_client_packet_t; - ') - - allow $1 zookeeper_leader_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_leader_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zookeeper_leader_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zookeeper_leader_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_leader_client_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_client_packet_t; - ') - - dontaudit $1 zookeeper_leader_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_leader_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zookeeper_leader_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zookeeper_leader_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_leader_client_packets'($*)) dnl - - corenet_send_zookeeper_leader_client_packets($1) - corenet_receive_zookeeper_leader_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_leader_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zookeeper_leader_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zookeeper_leader_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_leader_client_packets'($*)) dnl - - corenet_dontaudit_send_zookeeper_leader_client_packets($1) - corenet_dontaudit_receive_zookeeper_leader_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_leader_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zookeeper_leader_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zookeeper_leader_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_leader_client_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_client_packet_t; - ') - - allow $1 zookeeper_leader_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_leader_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zookeeper_leader_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zookeeper_leader_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_leader_server_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_server_packet_t; - ') - - allow $1 zookeeper_leader_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_leader_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zookeeper_leader_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zookeeper_leader_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_leader_server_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_server_packet_t; - ') - - dontaudit $1 zookeeper_leader_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_leader_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zookeeper_leader_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zookeeper_leader_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_leader_server_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_server_packet_t; - ') - - allow $1 zookeeper_leader_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_leader_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zookeeper_leader_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zookeeper_leader_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_leader_server_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_server_packet_t; - ') - - dontaudit $1 zookeeper_leader_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_leader_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zookeeper_leader_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zookeeper_leader_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_leader_server_packets'($*)) dnl - - corenet_send_zookeeper_leader_server_packets($1) - corenet_receive_zookeeper_leader_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_leader_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zookeeper_leader_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zookeeper_leader_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_leader_server_packets'($*)) dnl - - corenet_dontaudit_send_zookeeper_leader_server_packets($1) - corenet_dontaudit_receive_zookeeper_leader_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_leader_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zookeeper_leader_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zookeeper_leader_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_leader_server_packets'($*)) dnl - - gen_require(` - type zookeeper_leader_server_packet_t; - ') - - allow $1 zookeeper_leader_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_leader_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zebra port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zebra_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zebra_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zebra port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zebra_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zebra_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zebra port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zebra_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zebra_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zebra port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zebra_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zebra_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zebra port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zebra_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zebra_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zebra port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zebra_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zebra_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zebra port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zebra_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zebra_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zebra port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zebra_port'($*)) dnl - - gen_require(` - type zebra_port_t; - ') - - allow $1 zebra_port_t:tcp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zebra_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zebra port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zebra_port'($*)) dnl - - gen_require(` - type zebra_port_t; - ') - - allow $1 zebra_port_t:udp_socket name_bind; - allow $1 self:capability net_bind_service; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zebra_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zebra port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zebra_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zebra_port'($*)) dnl - - gen_require(` - type zebra_port_t; - ') - - allow $1 zebra_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zebra_port'($*)) dnl - ') - - - -######################################## -## -## Send zebra_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zebra_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zebra_client_packets'($*)) dnl - - gen_require(` - type zebra_client_packet_t; - ') - - allow $1 zebra_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zebra_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zebra_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zebra_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zebra_client_packets'($*)) dnl - - gen_require(` - type zebra_client_packet_t; - ') - - dontaudit $1 zebra_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zebra_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zebra_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zebra_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zebra_client_packets'($*)) dnl - - gen_require(` - type zebra_client_packet_t; - ') - - allow $1 zebra_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zebra_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zebra_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zebra_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zebra_client_packets'($*)) dnl - - gen_require(` - type zebra_client_packet_t; - ') - - dontaudit $1 zebra_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zebra_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zebra_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zebra_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zebra_client_packets'($*)) dnl - - corenet_send_zebra_client_packets($1) - corenet_receive_zebra_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zebra_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zebra_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zebra_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zebra_client_packets'($*)) dnl - - corenet_dontaudit_send_zebra_client_packets($1) - corenet_dontaudit_receive_zebra_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zebra_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zebra_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zebra_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zebra_client_packets'($*)) dnl - - gen_require(` - type zebra_client_packet_t; - ') - - allow $1 zebra_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zebra_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zebra_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zebra_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zebra_server_packets'($*)) dnl - - gen_require(` - type zebra_server_packet_t; - ') - - allow $1 zebra_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zebra_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zebra_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zebra_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zebra_server_packets'($*)) dnl - - gen_require(` - type zebra_server_packet_t; - ') - - dontaudit $1 zebra_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zebra_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zebra_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zebra_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zebra_server_packets'($*)) dnl - - gen_require(` - type zebra_server_packet_t; - ') - - allow $1 zebra_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zebra_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zebra_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zebra_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zebra_server_packets'($*)) dnl - - gen_require(` - type zebra_server_packet_t; - ') - - dontaudit $1 zebra_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zebra_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zebra_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zebra_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zebra_server_packets'($*)) dnl - - corenet_send_zebra_server_packets($1) - corenet_receive_zebra_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zebra_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zebra_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zebra_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zebra_server_packets'($*)) dnl - - corenet_dontaudit_send_zebra_server_packets($1) - corenet_dontaudit_receive_zebra_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zebra_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zebra_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zebra_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zebra_server_packets'($*)) dnl - - gen_require(` - type zebra_server_packet_t; - ') - - allow $1 zebra_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zebra_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zented port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zented_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zented_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zented port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zented_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zented_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zented port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zented_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zented_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zented port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zented_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zented_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zented port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zented_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zented_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zented port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zented_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zented_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zented port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zented_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zented_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zented port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zented_port'($*)) dnl - - gen_require(` - type zented_port_t; - ') - - allow $1 zented_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zented_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zented port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zented_port'($*)) dnl - - gen_require(` - type zented_port_t; - ') - - allow $1 zented_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zented_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zented port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zented_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zented_port'($*)) dnl - - gen_require(` - type zented_port_t; - ') - - allow $1 zented_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zented_port'($*)) dnl - ') - - - -######################################## -## -## Send zented_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zented_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zented_client_packets'($*)) dnl - - gen_require(` - type zented_client_packet_t; - ') - - allow $1 zented_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zented_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zented_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zented_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zented_client_packets'($*)) dnl - - gen_require(` - type zented_client_packet_t; - ') - - dontaudit $1 zented_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zented_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zented_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zented_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zented_client_packets'($*)) dnl - - gen_require(` - type zented_client_packet_t; - ') - - allow $1 zented_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zented_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zented_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zented_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zented_client_packets'($*)) dnl - - gen_require(` - type zented_client_packet_t; - ') - - dontaudit $1 zented_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zented_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zented_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zented_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zented_client_packets'($*)) dnl - - corenet_send_zented_client_packets($1) - corenet_receive_zented_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zented_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zented_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zented_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zented_client_packets'($*)) dnl - - corenet_dontaudit_send_zented_client_packets($1) - corenet_dontaudit_receive_zented_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zented_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zented_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zented_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zented_client_packets'($*)) dnl - - gen_require(` - type zented_client_packet_t; - ') - - allow $1 zented_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zented_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zented_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zented_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zented_server_packets'($*)) dnl - - gen_require(` - type zented_server_packet_t; - ') - - allow $1 zented_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zented_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zented_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zented_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zented_server_packets'($*)) dnl - - gen_require(` - type zented_server_packet_t; - ') - - dontaudit $1 zented_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zented_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zented_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zented_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zented_server_packets'($*)) dnl - - gen_require(` - type zented_server_packet_t; - ') - - allow $1 zented_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zented_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zented_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zented_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zented_server_packets'($*)) dnl - - gen_require(` - type zented_server_packet_t; - ') - - dontaudit $1 zented_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zented_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zented_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zented_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zented_server_packets'($*)) dnl - - corenet_send_zented_server_packets($1) - corenet_receive_zented_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zented_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zented_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zented_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zented_server_packets'($*)) dnl - - corenet_dontaudit_send_zented_server_packets($1) - corenet_dontaudit_receive_zented_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zented_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zented_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zented_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zented_server_packets'($*)) dnl - - gen_require(` - type zented_server_packet_t; - ') - - allow $1 zented_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zented_server_packets'($*)) dnl - ') - - - - - -######################################## -## -## Send and receive TCP traffic on the zope port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zope_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zope_port'($*)) dnl - ') - - -######################################## -## -## Send UDP traffic on the zope port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zope_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_zope_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send UDP traffic on the zope port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_send_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zope_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zope_port'($*)) dnl - ') - - -######################################## -## -## Receive UDP traffic on the zope port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zope_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zope_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP traffic on the zope port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_receive_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zope_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zope_port'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP traffic on the zope port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zope_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zope_port'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive -## UDP traffic on the zope port. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_udp_sendrecv_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zope_port'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please remove.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zope_port'($*)) dnl - ') - - -######################################## -## -## Bind TCP sockets to the zope port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_bind_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zope_port'($*)) dnl - - gen_require(` - type zope_port_t; - ') - - allow $1 zope_port_t:tcp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zope_port'($*)) dnl - ') - - -######################################## -## -## Bind UDP sockets to the zope port. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_bind_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zope_port'($*)) dnl - - gen_require(` - type zope_port_t; - ') - - allow $1 zope_port_t:udp_socket name_bind; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zope_port'($*)) dnl - ') - - -######################################## -## -## Make a TCP connection to the zope port. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_tcp_connect_zope_port',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zope_port'($*)) dnl - - gen_require(` - type zope_port_t; - ') - - allow $1 zope_port_t:tcp_socket name_connect; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zope_port'($*)) dnl - ') - - - -######################################## -## -## Send zope_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zope_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zope_client_packets'($*)) dnl - - gen_require(` - type zope_client_packet_t; - ') - - allow $1 zope_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zope_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zope_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zope_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zope_client_packets'($*)) dnl - - gen_require(` - type zope_client_packet_t; - ') - - dontaudit $1 zope_client_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zope_client_packets'($*)) dnl - ') - - -######################################## -## -## Receive zope_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zope_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zope_client_packets'($*)) dnl - - gen_require(` - type zope_client_packet_t; - ') - - allow $1 zope_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zope_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zope_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zope_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zope_client_packets'($*)) dnl - - gen_require(` - type zope_client_packet_t; - ') - - dontaudit $1 zope_client_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zope_client_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zope_client packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zope_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zope_client_packets'($*)) dnl - - corenet_send_zope_client_packets($1) - corenet_receive_zope_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zope_client_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zope_client packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zope_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zope_client_packets'($*)) dnl - - corenet_dontaudit_send_zope_client_packets($1) - corenet_dontaudit_receive_zope_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zope_client_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zope_client the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zope_client_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zope_client_packets'($*)) dnl - - gen_require(` - type zope_client_packet_t; - ') - - allow $1 zope_client_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zope_client_packets'($*)) dnl - ') - - - -######################################## -## -## Send zope_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_send_zope_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_send_zope_server_packets'($*)) dnl - - gen_require(` - type zope_server_packet_t; - ') - - allow $1 zope_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_send_zope_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send zope_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_send_zope_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zope_server_packets'($*)) dnl - - gen_require(` - type zope_server_packet_t; - ') - - dontaudit $1 zope_server_packet_t:packet send; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zope_server_packets'($*)) dnl - ') - - -######################################## -## -## Receive zope_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_receive_zope_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_receive_zope_server_packets'($*)) dnl - - gen_require(` - type zope_server_packet_t; - ') - - allow $1 zope_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_receive_zope_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive zope_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_dontaudit_receive_zope_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zope_server_packets'($*)) dnl - - gen_require(` - type zope_server_packet_t; - ') - - dontaudit $1 zope_server_packet_t:packet recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zope_server_packets'($*)) dnl - ') - - -######################################## -## -## Send and receive zope_server packets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_sendrecv_zope_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zope_server_packets'($*)) dnl - - corenet_send_zope_server_packets($1) - corenet_receive_zope_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zope_server_packets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive zope_server packets. -## -## -## -## Domain to not audit. -## -## -## -# - define(`corenet_dontaudit_sendrecv_zope_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zope_server_packets'($*)) dnl - - corenet_dontaudit_send_zope_server_packets($1) - corenet_dontaudit_receive_zope_server_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zope_server_packets'($*)) dnl - ') - - -######################################## -## -## Relabel packets to zope_server the packet type. -## -## -## -## Domain allowed access. -## -## -# - define(`corenet_relabelto_zope_server_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zope_server_packets'($*)) dnl - - gen_require(` - type zope_server_packet_t; - ') - - allow $1 zope_server_packet_t:packet relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_relabelto_zope_server_packets'($*)) dnl - ') - - - - - - -######################################## -## -## Send and receive TCP network traffic on the lo interface. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_tcp_sendrecv_lo_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lo_if'($*)) dnl - - gen_require(` - type lo_netif_t; - ') - - allow $1 lo_netif_t:netif { egress ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lo_if'($*)) dnl - ') - - -######################################## -## -## Send UDP network traffic on the lo interface. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_send_lo_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lo_if'($*)) dnl - - gen_require(` - type lo_netif_t; - ') - - allow $1 lo_netif_t:netif { egress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_send_lo_if'($*)) dnl - ') - - -######################################## -## -## Receive UDP network traffic on the lo interface. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_receive_lo_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lo_if'($*)) dnl - - gen_require(` - type lo_netif_t; - ') - - allow $1 lo_netif_t:netif { ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lo_if'($*)) dnl - ') - - -######################################## -## -## Send and receive UDP network traffic on the lo interface. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_udp_sendrecv_lo_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lo_if'($*)) dnl - - corenet_udp_send_lo_if($1) - corenet_udp_receive_lo_if($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lo_if'($*)) dnl - ') - - -######################################## -## -## Send raw IP packets on the lo interface. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_raw_send_lo_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_send_lo_if'($*)) dnl - - gen_require(` - type lo_netif_t; - ') - - allow $1 lo_netif_t:netif { egress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_send_lo_if'($*)) dnl - ') - - -######################################## -## -## Receive raw IP packets on the lo interface. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_raw_receive_lo_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_lo_if'($*)) dnl - - gen_require(` - type lo_netif_t; - ') - - allow $1 lo_netif_t:netif { ingress }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_receive_lo_if'($*)) dnl - ') - - -######################################## -## -## Send and receive raw IP packets on the lo interface. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corenet_raw_sendrecv_lo_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_lo_if'($*)) dnl - - corenet_raw_send_lo_if($1) - corenet_raw_receive_lo_if($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_lo_if'($*)) dnl - ') - - - - -## -## Policy for kernel threads, proc filesystem, -## and unlabeled processes and objects. -## -## -## This module has initial SIDs. -## - -######################################## -## -## Allows the kernel to start userland processes -## by dynamic transitions to the specified domain. -## -## -## -## The process type entered by the kernel. -## -## -# - define(`kernel_dyntrans_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dyntrans_to'($*)) dnl - - gen_require(` - type kernel_t; - ') - - domain_dyntrans_type(kernel_t) - allow kernel_t self:process setcurrent; - allow kernel_t $1:process dyntransition; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dyntrans_to'($*)) dnl - ') - - -######################################## -## -## Allows to start userland processes -## by transitioning to the specified domain. -## -## -## -## The process type entered by kernel. -## -## -## -## -## The executable type for the entrypoint. -## -## -# - define(`kernel_domtrans_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_domtrans_to'($*)) dnl - - gen_require(` - type kernel_t; - ') - - domtrans_pattern(kernel_t, $2, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_domtrans_to'($*)) dnl - ') - - -######################################## -## -## Allows to start userland processes -## by transitioning to the specified domain, -## with a range transition. -## -## -## -## The process type entered by kernel. -## -## -## -## -## The executable type for the entrypoint. -## -## -## -## -## Range for the domain. -## -## -# - define(`kernel_ranged_domtrans_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_ranged_domtrans_to'($*)) dnl - - gen_require(` - type kernel_t; - ') - - kernel_domtrans_to($1, $2) - - ifdef(`enable_mcs',` - range_transition kernel_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition kernel_t $2:process $3; - mls_rangetrans_target($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_ranged_domtrans_to'($*)) dnl - ') - - -######################################## -## -## Allows the kernel to mount filesystems on -## the specified directory type. -## -## -## -## The type of the directory to use as a mountpoint. -## -## -# - define(`kernel_rootfs_mountpoint',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rootfs_mountpoint'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow kernel_t $1:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rootfs_mountpoint'($*)) dnl - ') - - -######################################## -## -## Set the process group of kernel threads. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_setpgid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_setpgid'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process setpgid; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_setpgid'($*)) dnl - ') - - -######################################## -## -## Set the priority of kernel threads. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_setsched',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_setsched'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process setsched; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_setsched'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to kernel threads. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_sigchld'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_sigchld'($*)) dnl - ') - - -######################################## -## -## Send a kill signal to kernel threads. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_kill'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_kill'($*)) dnl - ') - - -######################################## -## -## Send a generic signal to kernel threads. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_signal'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_signal'($*)) dnl - ') - - -######################################## -## -## Allows the kernel to share state information with -## the caller. -## -## -## -## The type of the process with which to share state information. -## -## -# - define(`kernel_share_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_share_state'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow kernel_t $1:process share; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_share_state'($*)) dnl - ') - - -######################################## -## -## Permits caller to use kernel file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_use_fds'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use -## kernel file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_use_fds'($*)) dnl - - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Read and write kernel unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_pipes'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:fifo_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Read/write to kernel using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_stream_sockets'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:unix_stream_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Connect to kernel using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_stream_connect'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:unix_stream_socket connectto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_stream_connect'($*)) dnl - ') - - -######################################## -## -## Getattr on kernel unix datagram sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_getattr_dgram_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_getattr_dgram_sockets'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:unix_dgram_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_getattr_dgram_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write kernel unix datagram sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_rw_unix_dgram_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_unix_dgram_sockets'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:unix_dgram_socket { read write ioctl }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_unix_dgram_sockets'($*)) dnl - ') - - -######################################## -## -## Send messages to kernel unix datagram sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_dgram_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dgram_send'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:unix_dgram_socket sendto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dgram_send'($*)) dnl - ') - - -######################################## -## -## Allows caller to load kernel modules -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_load_module',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_load_module'($*)) dnl - - gen_require(` - attribute can_load_kernmodule; - ') - - typeattribute $1 can_load_kernmodule; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_load_module'($*)) dnl - ') - - -######################################## -## -## Allow search the kernel key ring. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_search_key',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_search_key'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:key search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_search_key'($*)) dnl - ') - - -######################################## -## -## dontaudit search the kernel key ring. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_search_key',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_key'($*)) dnl - - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:key search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_key'($*)) dnl - ') - - -######################################## -## -## Allow link to the kernel key ring. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_link_key',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_link_key'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:key link; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_link_key'($*)) dnl - ') - - -######################################## -## -## dontaudit link to the kernel key ring. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_link_key',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_link_key'($*)) dnl - - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:key link; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_link_key'($*)) dnl - ') - - -######################################## -## -## Allow view the kernel key ring. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_view_key',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_view_key'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:key view; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_view_key'($*)) dnl - ') - - -######################################## -## -## dontaudit view the kernel key ring. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_view_key',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_view_key'($*)) dnl - - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:key view; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_view_key'($*)) dnl - ') - - -######################################## -## -## Allows caller to read the ring buffer. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_ring_buffer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_ring_buffer'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 self:capability2 syslog; - allow $1 kernel_t:system syslog_read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_ring_buffer'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the ring buffer. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_read_ring_buffer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_ring_buffer'($*)) dnl - - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:system syslog_read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_ring_buffer'($*)) dnl - ') - - -######################################## -## -## Change the level of kernel messages logged to the console. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_change_ring_buffer_level',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_change_ring_buffer_level'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 self:capability2 syslog; - allow $1 kernel_t:system syslog_console; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_change_ring_buffer_level'($*)) dnl - ') - - -######################################## -## -## Allows the caller to clear the ring buffer. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_clear_ring_buffer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_clear_ring_buffer'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 self:capability2 syslog; - allow $1 kernel_t:system syslog_mod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_clear_ring_buffer'($*)) dnl - ') - - -######################################## -## -## Allows caller to request the kernel to load a module -## -## -##

-## Allow the specified domain to request that the kernel -## load a kernel module. An example of this is the -## auto-loading of network drivers when doing an -## ioctl() on a network interface. -##

-##

-## In the specific case of a module loading request -## on a network interface, the domain will also -## need the net_admin capability. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`kernel_request_load_module',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_request_load_module'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:system module_request; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_request_load_module'($*)) dnl - ') - - -######################################## -## -## Do not audit requests to the kernel to load a module. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_request_load_module',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_request_load_module'($*)) dnl - - gen_require(` - type kernel_t; - ') - - dontaudit $1 kernel_t:system module_request; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_request_load_module'($*)) dnl - ') - - -######################################## -## -## Get information on all System V IPC objects. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_get_sysvipc_info',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_get_sysvipc_info'($*)) dnl - - gen_require(` - type kernel_t; - ') - - allow $1 kernel_t:system ipc_info; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_get_sysvipc_info'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_getattr_debugfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_getattr_debugfs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - allow $1 debugfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_getattr_debugfs'($*)) dnl - ') - - -######################################## -## -## Mount a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_mount_debugfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mount_debugfs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - allow $1 debugfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mount_debugfs'($*)) dnl - ') - - -######################################## -## -## Unmount a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_unmount_debugfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_unmount_debugfs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - allow $1 debugfs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_unmount_debugfs'($*)) dnl - ') - - -######################################## -## -## Remount a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_remount_debugfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_remount_debugfs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - allow $1 debugfs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_remount_debugfs'($*)) dnl - ') - - -######################################## -## -## Search the contents of a kernel debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_search_debugfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_search_debugfs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - search_dirs_pattern($1, debugfs_t, debugfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_search_debugfs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the kernel debugging filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_search_debugfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_debugfs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - dontaudit $1 debugfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_debugfs'($*)) dnl - ') - - -######################################## -## -## Read information from the debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_read_debugfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_debugfs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - read_files_pattern($1, debugfs_t, debugfs_t) - read_lnk_files_pattern($1, debugfs_t, debugfs_t) - list_dirs_pattern($1, debugfs_t, debugfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_debugfs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write kernel debugging filesystem dirs. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_write_debugfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_debugfs_dirs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - dontaudit $1 debugfs_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_debugfs_dirs'($*)) dnl - ') - - -######################################## -## -## Manage information from the debugging filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_manage_debugfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_manage_debugfs'($*)) dnl - - gen_require(` - type debugfs_t; - ') - - manage_files_pattern($1, debugfs_t, debugfs_t) - read_lnk_files_pattern($1, debugfs_t, debugfs_t) - list_dirs_pattern($1, debugfs_t, debugfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_manage_debugfs'($*)) dnl - ') - - -######################################## -## -## Mount a kernel VM filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_mount_kvmfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mount_kvmfs'($*)) dnl - - gen_require(` - type kvmfs_t; - ') - - allow $1 kvmfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mount_kvmfs'($*)) dnl - ') - - -######################################## -## -## mount the proc filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_mount_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mount_proc'($*)) dnl - - gen_require(` - type proc_t; - ') - - allow $1 proc_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mount_proc'($*)) dnl - ') - - -######################################## -## -## remount the proc filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_remount_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_remount_proc'($*)) dnl - - gen_require(` - type proc_t; - ') - - allow $1 proc_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_remount_proc'($*)) dnl - ') - - -######################################## -## -## Unmount the proc filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_unmount_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_unmount_proc'($*)) dnl - - gen_require(` - type proc_t; - ') - - allow $1 proc_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_unmount_proc'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the proc filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_getattr_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_getattr_proc'($*)) dnl - - gen_require(` - type proc_t; - ') - - allow $1 proc_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_getattr_proc'($*)) dnl - ') - - -######################################## -## -## Mount on proc directories. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_mounton_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mounton_proc'($*)) dnl - - gen_require(` - type proc_t; - ') - - allow $1 proc_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mounton_proc'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the -## attributes of directories in /proc. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_setattr_proc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_setattr_proc_dirs'($*)) dnl - - gen_require(` - type proc_t; - ') - - dontaudit $1 proc_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_setattr_proc_dirs'($*)) dnl - ') - - -######################################## -## -## Search directories in /proc. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_search_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_search_proc'($*)) dnl - - gen_require(` - type proc_t; - ') - - search_dirs_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_search_proc'($*)) dnl - ') - - -######################################## -## -## List the contents of directories in /proc. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_list_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_list_proc'($*)) dnl - - gen_require(` - type proc_t; - ') - - list_dirs_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_list_proc'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list the -## contents of directories in /proc. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_list_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_proc'($*)) dnl - - gen_require(` - type proc_t; - ') - - dontaudit $1 proc_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_proc'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write the -## directories in /proc. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_write_proc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_proc_dirs'($*)) dnl - - gen_require(` - type proc_t; - ') - - dontaudit $1 proc_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_proc_dirs'($*)) dnl - ') - - -######################################## -## -## Mount the directories in /proc. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_mounton_proc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mounton_proc_dirs'($*)) dnl - - gen_require(` - type proc_t; - ') - - allow $1 proc_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mounton_proc_dirs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of files in /proc. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_getattr_proc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_getattr_proc_files'($*)) dnl - - gen_require(` - type proc_t; - ') - - getattr_files_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_getattr_proc_files'($*)) dnl - ') - - -######################################## -## -## Read generic symbolic links in /proc. -## -## -##

-## Allow the specified domain to read (follow) generic -## symbolic links (symlinks) in the proc filesystem (/proc). -## This interface does not include access to the targets of -## these links. An example symlink is /proc/self. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_proc_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_proc_symlinks'($*)) dnl - - gen_require(` - type proc_t; - ') - - read_lnk_files_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_proc_symlinks'($*)) dnl - ') - - -######################################## -## -## Allows caller to read system state information in /proc. -## -## -##

-## Allow the specified domain to read general system -## state information from the proc filesystem (/proc). -##

-##

-## Generally it should be safe to allow this access. Some -## example files that can be read based on this interface: -##

-##
    -##
  • /proc/cpuinfo
    • -##
  • /proc/meminfo
    • -##
  • /proc/uptime
    • -##
-##

-## This does not allow access to sysctl entries (/proc/sys/*) -## nor process state information (/proc/pid). -##

-## -## -## -## Domain allowed access. -## -## -## -## -# - define(`kernel_read_system_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_system_state'($*)) dnl - - gen_require(` - type proc_t; - ') - - read_files_pattern($1, proc_t, proc_t) - read_lnk_files_pattern($1, proc_t, proc_t) - - list_dirs_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_system_state'($*)) dnl - ') - - -######################################## -## -## Write to generic proc entries. -## -## -## -## Domain allowed access. -## -## -## -# -# cjp: this should probably go away. any -# file thats writable in proc should really -# have its own label. -# - define(`kernel_write_proc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_write_proc_files'($*)) dnl - - gen_require(` - type proc_t; - ') - - write_files_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_write_proc_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to -## read system state information in proc. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_read_system_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_system_state'($*)) dnl - - gen_require(` - type proc_t; - ') - - dontaudit $1 proc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_system_state'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to -## read symbolic links in proc. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_read_proc_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_proc_symlinks'($*)) dnl - - gen_require(` - type proc_t; - ') - - dontaudit $1 proc_t:lnk_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_proc_symlinks'($*)) dnl - ') - - -####################################### -## -## Allow caller to read and write state information for AFS. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_afs_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_afs_state'($*)) dnl - - gen_require(` - type proc_t, proc_afs_t; - ') - - list_dirs_pattern($1, proc_t, proc_t) - rw_files_pattern($1, proc_afs_t, proc_afs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_afs_state'($*)) dnl - ') - - -####################################### -## -## Allow caller to read the state information for software raid. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_software_raid_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_software_raid_state'($*)) dnl - - gen_require(` - type proc_t, proc_mdstat_t; - ') - - read_files_pattern($1, proc_t, proc_mdstat_t) - - list_dirs_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_software_raid_state'($*)) dnl - ') - - -####################################### -## -## Allow caller to read and set the state information for software raid. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_rw_software_raid_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_software_raid_state'($*)) dnl - - gen_require(` - type proc_t, proc_mdstat_t; - ') - - rw_files_pattern($1, proc_t, proc_mdstat_t) - - list_dirs_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_software_raid_state'($*)) dnl - ') - - -######################################## -## -## Allows caller to get attribues of core kernel interface. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_getattr_core_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_getattr_core_if'($*)) dnl - - gen_require(` - type proc_t, proc_kcore_t; - ') - - getattr_files_pattern($1, proc_t, proc_kcore_t) - - list_dirs_pattern($1, proc_t, proc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_getattr_core_if'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## core kernel interfaces. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_getattr_core_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_core_if'($*)) dnl - - gen_require(` - type proc_kcore_t; - ') - - dontaudit $1 proc_kcore_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_core_if'($*)) dnl - ') - - -######################################## -## -## Allows caller to read the core kernel interface. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_read_core_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_core_if'($*)) dnl - - gen_require(` - type proc_t, proc_kcore_t; - attribute can_dump_kernel; - ') - - allow $1 self:capability sys_rawio; - read_files_pattern($1, proc_t, proc_kcore_t) - list_dirs_pattern($1, proc_t, proc_t) - - typeattribute $1 can_dump_kernel; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_core_if'($*)) dnl - ') - - -######################################## -## -## Allow caller to read kernel messages -## using the /proc/kmsg interface. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_read_messages',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_messages'($*)) dnl - - gen_require(` - attribute can_receive_kernel_messages; - type proc_kmsg_t, proc_t; - ') - - read_files_pattern($1, proc_t, proc_kmsg_t) - - typeattribute $1 can_receive_kernel_messages; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_messages'($*)) dnl - ') - - -######################################## -## -## Allow caller to get the attributes of kernel message -## interface (/proc/kmsg). -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_getattr_message_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_getattr_message_if'($*)) dnl - - gen_require(` - type proc_kmsg_t, proc_t; - ') - - getattr_files_pattern($1, proc_t, proc_kmsg_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_getattr_message_if'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to get the attributes of kernel -## message interfaces. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_getattr_message_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_message_if'($*)) dnl - - gen_require(` - type proc_kmsg_t; - ') - - dontaudit $1 proc_kmsg_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_message_if'($*)) dnl - ') - - -######################################## -## -## Mount on kernel message interfaces files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_mounton_message_if',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mounton_message_if'($*)) dnl - - gen_require(` - type proc_t, proc_kmsg_t; - ') - - allow $1 proc_t:dir list_dir_perms; - allow $1 proc_kmsg_t:file { getattr mounton }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mounton_message_if'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the network -## state directory. -## -## -## -## Domain to not audit. -## -## -## -# - define(`kernel_dontaudit_search_network_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_network_state'($*)) dnl - - gen_require(` - type proc_net_t; - ') - - dontaudit $1 proc_net_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_network_state'($*)) dnl - ') - - -######################################## -## -## Allow searching of network state directory. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_search_network_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_search_network_state'($*)) dnl - - gen_require(` - type proc_t, proc_net_t; - ') - - search_dirs_pattern($1, proc_t, proc_net_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_search_network_state'($*)) dnl - ') - - -######################################## -## -## Read the network state information. -## -## -##

-## Allow the specified domain to read the networking -## state information. This includes several pieces -## of networking information, such as network interface -## names, netfilter (iptables) statistics, protocol -## information, routes, and remote procedure call (RPC) -## information. -##

-## -## -## -## Domain allowed access. -## -## -## -## -# - define(`kernel_read_network_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_network_state'($*)) dnl - - gen_require(` - type proc_t, proc_net_t; - ') - - read_files_pattern($1, { proc_t proc_net_t }, proc_net_t) - read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) - - list_dirs_pattern($1, proc_t, proc_net_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_network_state'($*)) dnl - ') - - -######################################## -## -## Allow caller to read the network state symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_read_network_state_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_network_state_symlinks'($*)) dnl - - gen_require(` - type proc_t, proc_net_t; - ') - - read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) - - list_dirs_pattern($1, proc_t, proc_net_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_network_state_symlinks'($*)) dnl - ') - - -######################################## -## -## Allow searching of xen state directory. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_search_xen_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_search_xen_state'($*)) dnl - - gen_require(` - type proc_t, proc_xen_t; - ') - - search_dirs_pattern($1, proc_t, proc_xen_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_search_xen_state'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the xen -## state directory. -## -## -## -## Domain to not audit. -## -## -## -# - define(`kernel_dontaudit_search_xen_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_xen_state'($*)) dnl - - gen_require(` - type proc_xen_t; - ') - - dontaudit $1 proc_xen_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_xen_state'($*)) dnl - ') - - -######################################## -## -## Allow caller to read the xen state information. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_xen_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_xen_state'($*)) dnl - - gen_require(` - type proc_t, proc_xen_t; - ') - - read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) - read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) - - list_dirs_pattern($1, proc_t, proc_xen_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_xen_state'($*)) dnl - ') - - -######################################## -## -## Allow caller to read the xen state symbolic links. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_xen_state_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_xen_state_symlinks'($*)) dnl - - gen_require(` - type proc_t, proc_xen_t; - ') - - read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) - - list_dirs_pattern($1, proc_t, proc_xen_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_xen_state_symlinks'($*)) dnl - ') - - -######################################## -## -## Allow caller to write xen state information. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_write_xen_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_write_xen_state'($*)) dnl - - gen_require(` - type proc_t, proc_xen_t; - ') - - write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_write_xen_state'($*)) dnl - ') - - -######################################## -## -## Allow attempts to list all proc directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_list_all_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_list_all_proc'($*)) dnl - - gen_require(` - attribute proc_type; - ') - - allow $1 proc_type:dir list_dir_perms; - allow $1 proc_type:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_list_all_proc'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list all proc directories. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_list_all_proc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_all_proc'($*)) dnl - - gen_require(` - attribute proc_type; - ') - - dontaudit $1 proc_type:dir list_dir_perms; - dontaudit $1 proc_type:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_all_proc'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to search -## the base directory of sysctls. -## -## -## -## Domain to not audit. -## -## -## -# - define(`kernel_dontaudit_search_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_sysctl'($*)) dnl - - gen_require(` - type sysctl_t; - ') - - dontaudit $1 sysctl_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_sysctl'($*)) dnl - ') - - -######################################## -## -## Mount on sysctl_t dirs. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_mounton_sysctl_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mounton_sysctl_dirs'($*)) dnl - - gen_require(` - type proc_t, sysctl_t; - ') - - allow $1 proc_t:dir list_dir_perms; - allow $1 sysctl_t:dir { getattr mounton }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mounton_sysctl_dirs'($*)) dnl - ') - - -######################################## -## -## Allow access to read sysctl directories. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_sysctl'($*)) dnl - - gen_require(` - type sysctl_t, proc_t; - ') - - list_dirs_pattern($1, proc_t, sysctl_t) - read_files_pattern($1, sysctl_t, sysctl_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_sysctl'($*)) dnl - ') - - -######################################## -## -## Mount on sysctl files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_mounton_sysctl_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mounton_sysctl_files'($*)) dnl - - gen_require(` - type proc_t, sysctl_t; - ') - - allow $1 { proc_t sysctl_t }:dir list_dir_perms; - allow $1 sysctl_t:file { getattr mounton }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mounton_sysctl_files'($*)) dnl - ') - - -######################################## -## -## Allow caller to read the device sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_device_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_device_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_dev_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_device_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write device sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_device_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_device_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_dev_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_device_sysctls'($*)) dnl - ') - - -######################################## -## -## Allow caller to search virtual memory sysctls. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_search_vm_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_search_vm_sysctl'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_vm_t; - ') - - search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_search_vm_sysctl'($*)) dnl - ') - - -######################################## -## -## Allow caller to read virtual memory sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_vm_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_vm_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_vm_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_vm_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write virtual memory sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_vm_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_vm_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_vm_t; - ') - - rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) - - # hal needs this - allow $1 sysctl_vm_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_vm_sysctls'($*)) dnl - ') - - -######################################## -## -## Search network sysctl directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_search_network_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_search_network_sysctl'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_net_t; - ') - - search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_search_network_sysctl'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to search network sysctl directories. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_search_network_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_network_sysctl'($*)) dnl - - gen_require(` - type sysctl_net_t; - ') - - dontaudit $1 sysctl_net_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_network_sysctl'($*)) dnl - ') - - -######################################## -## -## Allow caller to read network sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_net_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_net_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_net_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_net_sysctls'($*)) dnl - ') - - -######################################## -## -## Allow caller to modiry contents of sysctl network files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_net_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_net_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_net_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_net_sysctls'($*)) dnl - ') - - -######################################## -## -## Allow caller to read unix domain -## socket sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_unix_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_unix_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, { sysctl_net_t sysctl_net_unix_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_unix_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write unix domain -## socket sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_unix_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_unix_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, { sysctl_net_t sysctl_net_unix_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_unix_sysctls'($*)) dnl - ') - - -######################################## -## -## Read the hotplug sysctl. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_hotplug_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_hotplug_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_hotplug_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write the hotplug sysctl. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_hotplug_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_hotplug_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_hotplug_sysctls'($*)) dnl - ') - - -######################################## -## -## Read the modprobe sysctl. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_modprobe_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_modprobe_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_modprobe_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write the modprobe sysctl. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_modprobe_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_modprobe_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_modprobe_sysctls'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search generic kernel sysctls. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_search_kernel_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_kernel_sysctl'($*)) dnl - - gen_require(` - type sysctl_kernel_t; - ') - - dontaudit $1 sysctl_kernel_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_kernel_sysctl'($*)) dnl - ') - - -####################################### -## -## Do not audit attempted reading of kernel sysctls -## -## -## -## Domain to not audit accesses from -## -## -# - define(`kernel_dontaudit_read_kernel_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_kernel_sysctl'($*)) dnl - - gen_require(` - type sysctl_kernel_t; - ') - - dontaudit $1 sysctl_kernel_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_kernel_sysctl'($*)) dnl - ') - - -######################################## -## -## Read generic crypto sysctls. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_read_crypto_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_crypto_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_crypto_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_crypto_sysctls'($*)) dnl - ') - - -######################################## -## -## Read general kernel sysctls. -## -## -##

-## Allow the specified domain to read general -## kernel sysctl settings. These settings are typically -## read using the sysctl program. The settings -## that are included by this interface are prefixed -## with "kernel.", for example, kernel.sysrq. -##

-##

-## This does not include access to the hotplug -## handler setting (kernel.hotplug) -## nor the module installer handler setting -## (kernel.modprobe). -##

-##

-## Related interfaces: -##

-##
    -##
  • kernel_rw_kernel_sysctl()
    • -##
-## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_kernel_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_kernel_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_kernel_sysctls'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write generic kernel sysctls. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_write_kernel_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_kernel_sysctl'($*)) dnl - - gen_require(` - type sysctl_kernel_t; - ') - - dontaudit $1 sysctl_kernel_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_kernel_sysctl'($*)) dnl - ') - - -######################################## -## -## Read and write generic kernel sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_kernel_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_kernel_sysctl'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_kernel_sysctl'($*)) dnl - ') - - -####################################### -## -## Mount on kernel sysctl files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_mounton_kernel_sysctl_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mounton_kernel_sysctl_files'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_t; - ') - - allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms; - allow $1 sysctl_kernel_t:file { getattr mounton }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mounton_kernel_sysctl_files'($*)) dnl - ') - - -######################################## -## -## Read kernel ns lastpid sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_kernel_ns_lastpid_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_kernel_ns_lastpid_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_kernel_ns_lastpid_sysctls'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write kernel ns lastpid sysctls. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_kernel_ns_lastpid_sysctl'($*)) dnl - - gen_require(` - type sysctl_kernel_ns_last_pid_t; - ') - - dontaudit $1 sysctl_kernel_ns_last_pid_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_kernel_ns_lastpid_sysctl'($*)) dnl - ') - - -######################################## -## -## Read and write kernel ns lastpid sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_kernel_ns_lastpid_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_kernel_ns_lastpid_sysctl'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_kernel_ns_lastpid_sysctl'($*)) dnl - ') - - -######################################## -## -## Search filesystem sysctl directories. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_search_fs_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_search_fs_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_fs_t; - ') - - search_dirs_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_search_fs_sysctls'($*)) dnl - ') - - -######################################## -## -## Read filesystem sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_fs_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_fs_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_fs_t; - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_fs_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write fileystem sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_fs_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_fs_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_t, sysctl_fs_t; - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_fs_sysctls'($*)) dnl - ') - - -######################################## -## -## Read IRQ sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_irq_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_irq_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_irq_t; - ') - - read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) - - list_dirs_pattern($1, proc_t, sysctl_irq_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_irq_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write IRQ sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_irq_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_irq_sysctls'($*)) dnl - - gen_require(` - type proc_t, sysctl_irq_t; - ') - - rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) - - list_dirs_pattern($1, proc_t, sysctl_irq_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_irq_sysctls'($*)) dnl - ') - - -######################################## -## -## Read RPC sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_rpc_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_rpc_sysctls'($*)) dnl - - gen_require(` - type proc_t, proc_net_t, sysctl_rpc_t; - ') - - read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) - - list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_rpc_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write RPC sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_rpc_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_rpc_sysctls'($*)) dnl - - gen_require(` - type proc_t, proc_net_t, sysctl_rpc_t; - ') - - rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) - - list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_rpc_sysctls'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list all sysctl directories. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_list_all_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_all_sysctls'($*)) dnl - - gen_require(` - attribute sysctl_type; - ') - - dontaudit $1 sysctl_type:dir list_dir_perms; - dontaudit $1 sysctl_type:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_all_sysctls'($*)) dnl - ') - - -######################################## -## -## Allow caller to read all sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_all_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_all_sysctls'($*)) dnl - - gen_require(` - attribute sysctl_type; - type proc_t, proc_net_t; - ') - - # proc_net_t for /proc/net/rpc sysctls - read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) - - list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_all_sysctls'($*)) dnl - ') - - -######################################## -## -## Read and write all sysctls. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_all_sysctls',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_all_sysctls'($*)) dnl - - gen_require(` - attribute sysctl_type; - type proc_t, proc_net_t; - ') - - # proc_net_t for /proc/net/rpc sysctls - rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) - - allow $1 sysctl_type:dir list_dir_perms; - # why is setattr needed? - allow $1 sysctl_type:file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_all_sysctls'($*)) dnl - ') - - -######################################## -## -## Send a kill signal to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_kill_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_kill_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_kill_unlabeled'($*)) dnl - ') - - -######################################## -## -## Mount a kernel unlabeled filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_mount_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mount_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mount_unlabeled'($*)) dnl - ') - - -######################################## -## -## Unmount a kernel unlabeled filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_unmount_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_unmount_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_unmount_unlabeled'($*)) dnl - ') - - -######################################## -## -## Send general signals to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_signal_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_signal_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_signal_unlabeled'($*)) dnl - ') - - -######################################## -## -## Send a null signal to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_signull_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_signull_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_signull_unlabeled'($*)) dnl - ') - - -######################################## -## -## Send a stop signal to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_sigstop_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_sigstop_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process sigstop; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_sigstop_unlabeled'($*)) dnl - ') - - -######################################## -## -## Send a child terminated signal to unlabeled processes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_sigchld_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_sigchld_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_sigchld_unlabeled'($*)) dnl - ') - - -######################################## -## -## Get the attributes of unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_getattr_unlabeled_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_getattr_unlabeled_dirs'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir getattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_getattr_unlabeled_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search unlabeled directories. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_search_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_unlabeled'($*)) dnl - ') - - -######################################## -## -## List unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_list_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_list_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_list_unlabeled'($*)) dnl - ') - - -######################################## -## -## Read the process state (/proc/pid) of all unlabeled_t. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_read_unlabeled_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_unlabeled_state'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir list_dir_perms; - read_files_pattern($1, unlabeled_t, unlabeled_t) - read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_unlabeled_state'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_dontaudit_list_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_unlabeled'($*)) dnl - ') - - -######################################## -## -## Read and write unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_rw_unlabeled_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_dirs'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir rw_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_dirs'($*)) dnl - ') - - -######################################## -## -## Delete unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_delete_unlabeled_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled_dirs'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir delete_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_manage_unlabeled_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_manage_unlabeled_dirs'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_manage_unlabeled_dirs'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on an unlabeled directory. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_mounton_unlabeled_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_mounton_unlabeled_dirs'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir { search_dir_perms mounton }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_mounton_unlabeled_dirs'($*)) dnl - ') - - -######################################## -## -## Read unlabeled files. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_read_unlabeled_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_unlabeled_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_unlabeled_files'($*)) dnl - ') - - -######################################## -## -## Read and write unlabeled files. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_rw_unlabeled_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_files'($*)) dnl - ') - - -######################################## -## -## Delete unlabeled files. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_delete_unlabeled_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete unlabeled files. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_manage_unlabeled_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_manage_unlabeled_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_manage_unlabeled_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to get the -## attributes of an unlabeled file. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_getattr_unlabeled_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to -## read an unlabeled file. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_read_unlabeled_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_unlabeled_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_unlabeled_files'($*)) dnl - ') - - -######################################## -## -## Delete unlabeled symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_delete_unlabeled_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled_symlinks'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete unlabeled symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_manage_unlabeled_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_manage_unlabeled_symlinks'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_manage_unlabeled_symlinks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to get the -## attributes of unlabeled symbolic links. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_getattr_unlabeled_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_symlinks'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:lnk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_symlinks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to get the -## attributes of unlabeled named pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_getattr_unlabeled_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_pipes'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to get the -## attributes of unlabeled named sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_getattr_unlabeled_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_sockets'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:sock_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to get attributes for -## unlabeled block devices. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_getattr_unlabeled_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_blk_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:blk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_blk_files'($*)) dnl - ') - - -######################################## -## -## Read and write unlabeled block device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_rw_unlabeled_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_blk_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:blk_file rw_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_blk_files'($*)) dnl - ') - - -######################################## -## -## Delete unlabeled block device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_delete_unlabeled_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled_blk_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - delete_blk_files_pattern($1, unlabeled_t, unlabeled_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled_blk_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete unlabeled block device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_manage_unlabeled_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_manage_unlabeled_blk_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:blk_file manage_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_manage_unlabeled_blk_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts by caller to get attributes for -## unlabeled character devices. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_getattr_unlabeled_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_chr_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_chr_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to -## write unlabeled character devices. -## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_write_unlabeled_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_unlabeled_chr_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_unlabeled_chr_files'($*)) dnl - ') - - -######################################## -## -## Delete unlabeled character device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_delete_unlabeled_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled_chr_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - delete_chr_files_pattern($1, unlabeled_t, unlabeled_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled_chr_files'($*)) dnl - ') - - - -######################################## -## -## Create, read, write, and delete unlabeled character device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_manage_unlabeled_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_manage_unlabeled_chr_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:chr_file manage_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_manage_unlabeled_chr_files'($*)) dnl - ') - - -######################################## -## -## Allow caller to relabel unlabeled directories. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_relabelfrom_unlabeled_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_dirs'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:dir { list_dir_perms relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_dirs'($*)) dnl - ') - - -######################################## -## -## Allow caller to relabel unlabeled files. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_relabelfrom_unlabeled_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_files'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - kernel_list_unlabeled($1) - allow $1 unlabeled_t:file { getattr relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_files'($*)) dnl - ') - - -######################################## -## -## Allow caller to relabel unlabeled symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_relabelfrom_unlabeled_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_symlinks'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - kernel_list_unlabeled($1) - allow $1 unlabeled_t:lnk_file { getattr relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_symlinks'($*)) dnl - ') - - -######################################## -## -## Allow caller to relabel unlabeled named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_relabelfrom_unlabeled_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_pipes'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - kernel_list_unlabeled($1) - allow $1 unlabeled_t:fifo_file { getattr relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_pipes'($*)) dnl - ') - - -######################################## -## -## Delete unlabeled named pipes -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_delete_unlabeled_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled_pipes'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled_pipes'($*)) dnl - ') - - -######################################## -## -## Allow caller to relabel unlabeled named sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_relabelfrom_unlabeled_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_sockets'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - kernel_list_unlabeled($1) - allow $1 unlabeled_t:sock_file { getattr relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_sockets'($*)) dnl - ') - - -######################################## -## -## Delete unlabeled named sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_delete_unlabeled_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled_sockets'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - delete_sock_files_pattern($1, unlabeled_t, unlabeled_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled_sockets'($*)) dnl - ') - -######################################## -## -## Send and receive messages from an -## unlabeled IPSEC association. -## -## -##

-## Send and receive messages from an -## unlabeled IPSEC association. Network -## connections that are not protected -## by IPSEC have use an unlabeled -## assocation. -##

-##

-## The corenetwork interface -## corenet_non_ipsec_sendrecv() should -## be used instead of this one. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`kernel_sendrecv_unlabeled_association',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_sendrecv_unlabeled_association'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:association { sendto recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_sendrecv_unlabeled_association'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and receive messages -## from an unlabeled IPSEC association. -## -## -##

-## Do not audit attempts to send and receive messages -## from an unlabeled IPSEC association. Network -## connections that are not protected -## by IPSEC have use an unlabeled -## assocation. -##

-##

-## The corenetwork interface -## corenet_dontaudit_non_ipsec_sendrecv() should -## be used instead of this one. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_sendrecv_unlabeled_association',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_sendrecv_unlabeled_association'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:association { sendto recvfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_sendrecv_unlabeled_association'($*)) dnl - ') - - -######################################## -## -## Receive TCP packets from an unlabeled connection. -## -## -##

-## Receive TCP packets from an unlabeled connection. -##

-##

-## The corenetwork interface corenet_tcp_recv_unlabeled() should -## be used instead of this one. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`kernel_tcp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_tcp_recvfrom_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:tcp_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_tcp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive TCP packets from an unlabeled -## connection. -## -## -##

-## Do not audit attempts to receive TCP packets from an unlabeled -## connection. -##

-##

-## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() -## should be used instead of this one. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_tcp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:tcp_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Receive UDP packets from an unlabeled connection. -## -## -##

-## Receive UDP packets from an unlabeled connection. -##

-##

-## The corenetwork interface corenet_udp_recv_unlabeled() should -## be used instead of this one. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`kernel_udp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_udp_recvfrom_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:udp_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_udp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive UDP packets from an unlabeled -## connection. -## -## -##

-## Do not audit attempts to receive UDP packets from an unlabeled -## connection. -##

-##

-## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled() -## should be used instead of this one. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_udp_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_udp_recvfrom_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:udp_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_udp_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Receive Raw IP packets from an unlabeled connection. -## -## -##

-## Receive Raw IP packets from an unlabeled connection. -##

-##

-## The corenetwork interface corenet_raw_recv_unlabeled() should -## be used instead of this one. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`kernel_raw_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_raw_recvfrom_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:rawip_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_raw_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive Raw IP packets from an unlabeled -## connection. -## -## -##

-## Do not audit attempts to receive Raw IP packets from an unlabeled -## connection. -##

-##

-## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() -## should be used instead of this one. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_raw_recvfrom_unlabeled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_raw_recvfrom_unlabeled'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:rawip_socket recvfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_raw_recvfrom_unlabeled'($*)) dnl - ') - - -######################################## -## -## Send and receive unlabeled packets. -## -## -##

-## Send and receive unlabeled packets. -## These packets do not match any netfilter -## SECMARK rules. -##

-##

-## The corenetwork interface -## corenet_sendrecv_unlabeled_packets() should -## be used instead of this one. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`kernel_sendrecv_unlabeled_packets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_sendrecv_unlabeled_packets'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:packet { send recv }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_sendrecv_unlabeled_packets'($*)) dnl - ') - - -######################################## -## -## Receive packets from an unlabeled peer. -## -## -##

-## Receive packets from an unlabeled peer, these packets do not have any -## peer labeling information present. -##

-##

-## The corenetwork interface corenet_recvfrom_unlabeled_peer() should -## be used instead of this one. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`kernel_recvfrom_unlabeled_peer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_recvfrom_unlabeled_peer'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_recvfrom_unlabeled_peer'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to receive packets from an unlabeled peer. -## -## -##

-## Do not audit attempts to receive packets from an unlabeled peer, -## these packets do not have any peer labeling information present. -##

-##

-## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() -## should be used instead of this one. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`kernel_dontaudit_recvfrom_unlabeled_peer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_recvfrom_unlabeled_peer'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - dontaudit $1 unlabeled_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_dontaudit_recvfrom_unlabeled_peer'($*)) dnl - ') - - -######################################## -## -## Relabel from unlabeled database objects. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_relabelfrom_unlabeled_database',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_database'($*)) dnl - - gen_require(` - type unlabeled_t; - class db_database { setattr relabelfrom }; - class db_schema { setattr relabelfrom }; - class db_table { setattr relabelfrom }; - class db_sequence { setattr relabelfrom }; - class db_view { setattr relabelfrom }; - class db_procedure { setattr relabelfrom }; - class db_language { setattr relabelfrom }; - class db_column { setattr relabelfrom }; - class db_tuple { update relabelfrom }; - class db_blob { setattr relabelfrom }; - ') - - allow $1 unlabeled_t:db_database { setattr relabelfrom }; - allow $1 unlabeled_t:db_schema { setattr relabelfrom }; - allow $1 unlabeled_t:db_table { setattr relabelfrom }; - allow $1 unlabeled_t:db_sequence { setattr relabelfrom }; - allow $1 unlabeled_t:db_view { setattr relabelfrom }; - allow $1 unlabeled_t:db_procedure { setattr relabelfrom }; - allow $1 unlabeled_t:db_language { setattr relabelfrom }; - allow $1 unlabeled_t:db_column { setattr relabelfrom }; - allow $1 unlabeled_t:db_tuple { update relabelfrom }; - allow $1 unlabeled_t:db_blob { setattr relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_database'($*)) dnl - ') - - -######################################## -## -## Unconfined access to kernel module resources. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_unconfined'($*)) dnl - - gen_require(` - attribute kern_unconfined; - ') - - typeattribute $1 kern_unconfined; - kernel_load_module($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_unconfined'($*)) dnl - ') - - -######################################## -## -## Read virtual memory overcommit sysctl. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_read_vm_overcommit_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_read_vm_overcommit_sysctl'($*)) dnl - - gen_require(` - type sysctl_vm_overcommit_t; - ') - - kernel_search_vm_sysctl($1) - allow $1 sysctl_vm_overcommit_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_read_vm_overcommit_sysctl'($*)) dnl - ') - - -######################################## -## -## Read and write virtual memory overcommit sysctl. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kernel_rw_vm_overcommit_sysctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_rw_vm_overcommit_sysctl'($*)) dnl - - gen_require(` - type sysctl_vm_overcommit_t; - ') - - kernel_search_vm_sysctl($1) - allow $1 sysctl_vm_overcommit_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_rw_vm_overcommit_sysctl'($*)) dnl - ') - - -######################################## -## -## Access unlabeled infiniband pkeys. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_ib_access_unlabeled_pkeys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_ib_access_unlabeled_pkeys'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:infiniband_pkey access; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_ib_access_unlabeled_pkeys'($*)) dnl - ') - - -######################################## -## -## Manage subnet on unlabeled Infiniband endports. -## -## -## -## Domain allowed access. -## -## -# - define(`kernel_ib_manage_subnet_unlabeled_endports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kernel_ib_manage_subnet_unlabeled_endports'($*)) dnl - - gen_require(` - type unlabeled_t; - ') - - allow $1 unlabeled_t:infiniband_endport manage_subnet; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kernel_ib_manage_subnet_unlabeled_endports'($*)) dnl - ') - - -## Policy controlling access to storage devices - -######################################## -## -## Allow the caller to get the attributes of fixed disk -## device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_getattr_fixed_disk_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_getattr_fixed_disk_dev'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_getattr_fixed_disk_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts made by the caller to get -## the attributes of fixed disk device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_getattr_fixed_disk_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_getattr_fixed_disk_dev'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - dontaudit $1 fixed_disk_device_t:blk_file getattr; - dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_getattr_fixed_disk_dev'($*)) dnl - ') - - -######################################## -## -## Allow the caller to set the attributes of fixed disk -## device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_setattr_fixed_disk_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_setattr_fixed_disk_dev'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_setattr_fixed_disk_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts made by the caller to set -## the attributes of fixed disk device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_setattr_fixed_disk_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_setattr_fixed_disk_dev'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - dontaudit $1 fixed_disk_device_t:blk_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_setattr_fixed_disk_dev'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly read from a fixed disk. -## This is extremely dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_raw_read_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_raw_read_fixed_disk'($*)) dnl - - gen_require(` - attribute fixed_disk_raw_read; - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; - typeattribute $1 fixed_disk_raw_read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_raw_read_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly read from a fixed disk -## if a tunable is set. -## This is extremely dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -## -## -## Tunable to depend on -## -## -# - define(`storage_raw_read_fixed_disk_cond',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_raw_read_fixed_disk_cond'($*)) dnl - - gen_require(` - attribute fixed_disk_raw_read; - type fixed_disk_device_t; - ') - - typeattribute $1 fixed_disk_raw_read; - tunable_policy($2, ` - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_raw_read_fixed_disk_cond'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts made by the caller to read -## fixed disk device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_read_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_read_fixed_disk'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - - ') - - dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; - dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_read_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly write to a fixed disk. -## This is extremely dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_raw_write_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_raw_write_fixed_disk'($*)) dnl - - gen_require(` - attribute fixed_disk_raw_write; - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file write_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file write_chr_file_perms; - typeattribute $1 fixed_disk_raw_write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_raw_write_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts made by the caller to write -## fixed disk device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_write_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_write_fixed_disk'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - - ') - - dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_write_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly read and write to a fixed disk. -## This is extremely dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_raw_rw_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_raw_rw_fixed_disk'($*)) dnl - - storage_raw_read_fixed_disk($1) - storage_raw_write_fixed_disk($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_raw_rw_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Allow the caller to create fixed disk device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_create_fixed_disk_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_create_fixed_disk_dev'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - allow $1 self:capability mknod; - allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; - dev_add_entry_generic_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_create_fixed_disk_dev'($*)) dnl - ') - - -######################################## -## -## Allow the caller to delete fixed disk device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_delete_fixed_disk_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_delete_fixed_disk_dev'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms; - dev_remove_entry_generic_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_delete_fixed_disk_dev'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete fixed disk device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_manage_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_manage_fixed_disk'($*)) dnl - - gen_require(` - attribute fixed_disk_raw_read, fixed_disk_raw_write; - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 self:capability mknod; - allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms; - typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_manage_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Create block devices in /dev with the fixed disk type -## via an automatic type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Optional filename of the block device to be created -## -## -# - define(`storage_dev_filetrans_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dev_filetrans_fixed_disk'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - dev_filetrans($1, fixed_disk_device_t, blk_file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dev_filetrans_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Create block devices in on a tmpfs filesystem with the -## fixed disk type via an automatic type transition. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_tmpfs_filetrans_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_tmpfs_filetrans_fixed_disk'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_tmpfs_filetrans_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Relabel fixed disk device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_relabel_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_relabel_fixed_disk'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_relabel_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Enable a fixed disk device as swap space -## -## -## -## Domain allowed access. -## -## -# - define(`storage_swapon_fixed_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_swapon_fixed_disk'($*)) dnl - - gen_require(` - type fixed_disk_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_swapon_fixed_disk'($*)) dnl - ') - - -######################################## -## -## Allow the caller to get the attributes -## of device nodes of fuse devices. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_getattr_fuse_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_getattr_fuse_dev'($*)) dnl - - gen_require(` - type fuse_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 fuse_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_getattr_fuse_dev'($*)) dnl - ') - - -######################################## -## -## read or write fuse device interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_rw_fuse',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_rw_fuse'($*)) dnl - - gen_require(` - type fuse_device_t; - ') - - allow $1 fuse_device_t:chr_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_rw_fuse'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## fuse device interfaces. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_rw_fuse',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_rw_fuse'($*)) dnl - - gen_require(` - type fuse_device_t; - ') - - dontaudit $1 fuse_device_t:chr_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_rw_fuse'($*)) dnl - ') - - -######################################## -## -## Allow the caller to get the attributes of -## the generic SCSI interface device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_getattr_scsi_generic_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_getattr_scsi_generic_dev'($*)) dnl - - gen_require(` - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_getattr_scsi_generic_dev'($*)) dnl - ') - - -######################################## -## -## Allow the caller to set the attributes of -## the generic SCSI interface device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_setattr_scsi_generic_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_setattr_scsi_generic_dev'($*)) dnl - - gen_require(` - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_setattr_scsi_generic_dev'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly read, in a -## generic fashion, from any SCSI device. -## This is extremely dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_read_scsi_generic',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_read_scsi_generic'($*)) dnl - - gen_require(` - attribute scsi_generic_read; - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file read_chr_file_perms; - typeattribute $1 scsi_generic_read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_read_scsi_generic'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly write, in a -## generic fashion, from any SCSI device. -## This is extremely dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_write_scsi_generic',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_write_scsi_generic'($*)) dnl - - gen_require(` - attribute scsi_generic_write; - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file write_chr_file_perms; - typeattribute $1 scsi_generic_write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_write_scsi_generic'($*)) dnl - ') - - -######################################## -## -## Set attributes of the device nodes -## for the SCSI generic inerface. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_setattr_scsi_generic_dev_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_setattr_scsi_generic_dev_dev'($*)) dnl - - gen_require(` - type scsi_generic_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 scsi_generic_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_setattr_scsi_generic_dev_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## SCSI generic device interfaces. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_rw_scsi_generic',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_rw_scsi_generic'($*)) dnl - - gen_require(` - type scsi_generic_device_t; - ') - - dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_rw_scsi_generic'($*)) dnl - ') - - -######################################## -## -## Allow the caller to get the attributes of removable -## devices device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_getattr_removable_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_getattr_removable_dev'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_getattr_removable_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts made by the caller to get -## the attributes of removable devices device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_getattr_removable_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_getattr_removable_dev'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_getattr_removable_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts made by the caller to read -## removable devices device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_read_removable_device',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_read_removable_device'($*)) dnl - - gen_require(` - type removable_device_t; - - ') - - dontaudit $1 removable_device_t:blk_file read_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_read_removable_device'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts made by the caller to write -## removable devices device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_write_removable_device',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_write_removable_device'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_write_removable_device'($*)) dnl - ') - - -######################################## -## -## Allow the caller to set the attributes of removable -## devices device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_setattr_removable_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_setattr_removable_dev'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_setattr_removable_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts made by the caller to set -## the attributes of removable devices device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_setattr_removable_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_setattr_removable_dev'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_setattr_removable_dev'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly read from -## a removable device. -## This is extremely dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_raw_read_removable_device',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_raw_read_removable_device'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file read_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_raw_read_removable_device'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to directly read removable devices. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_raw_read_removable_device',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_raw_read_removable_device'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file read_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_raw_read_removable_device'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly write to -## a removable device. -## This is extremely dangerous as it can bypass the -## SELinux protections for filesystem objects, and -## should only be used by trusted domains. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_raw_write_removable_device',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_raw_write_removable_device'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file write_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_raw_write_removable_device'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to directly write removable devices. -## -## -## -## Domain to not audit. -## -## -# - define(`storage_dontaudit_raw_write_removable_device',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_dontaudit_raw_write_removable_device'($*)) dnl - - gen_require(` - type removable_device_t; - ') - - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_dontaudit_raw_write_removable_device'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly read -## a tape device. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_read_tape',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_read_tape'($*)) dnl - - gen_require(` - type tape_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file read_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_read_tape'($*)) dnl - ') - - -######################################## -## -## Allow the caller to directly write -## a tape device. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_write_tape',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_write_tape'($*)) dnl - - gen_require(` - type tape_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file write_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_write_tape'($*)) dnl - ') - - -######################################## -## -## Allow the caller to get the attributes -## of device nodes of tape devices. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_getattr_tape_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_getattr_tape_dev'($*)) dnl - - gen_require(` - type tape_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_getattr_tape_dev'($*)) dnl - ') - - -######################################## -## -## Allow the caller to set the attributes -## of device nodes of tape devices. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_setattr_tape_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_setattr_tape_dev'($*)) dnl - - gen_require(` - type tape_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tape_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_setattr_tape_dev'($*)) dnl - ') - - -######################################## -## -## Unconfined access to storage devices. -## -## -## -## Domain allowed access. -## -## -# - define(`storage_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `storage_unconfined'($*)) dnl - - gen_require(` - attribute storage_unconfined_type; - ') - - typeattribute $1 storage_unconfined_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `storage_unconfined'($*)) dnl - ') - -## -## Basic filesystem types and interfaces. -## -## -##

-## This module contains basic filesystem types and interfaces. This -## includes: -##

    -##
  • The concept of different file types including basic -## files, mount points, tmp files, etc.
    • -##
  • Access to groups of files and all files.
    • -##
  • Types and interfaces for the basic filesystem layout -## (/, /etc, /tmp, /usr, etc.).
    • -##
-##

-## -## -## Contains the concept of a file. -## Comains the file initial SID. -## - -######################################## -## -## Make the specified type usable for files -## in a filesystem. -## -## -##

-## Make the specified type usable for files -## in a filesystem. Types used for files that -## do not use this interface, or an interface that -## calls this one, will have unexpected behaviors -## while the system is running. If the type is used -## for device nodes (character or block files), then -## the dev_node() interface is more appropriate. -##

-##

-## Related interfaces: -##

-##
    -##
  • application_domain()
    • -##
  • application_executable_file()
    • -##
  • corecmd_executable_file()
    • -##
  • init_daemon_domain()
    • -##
  • init_domaion()
    • -##
  • init_ranged_daemon_domain()
    • -##
  • init_ranged_domain()
    • -##
  • init_ranged_system_domain()
    • -##
  • init_script_file()
    • -##
  • init_script_domain()
    • -##
  • init_system_domain()
    • -##
  • files_config_files()
    • -##
  • files_lock_file()
    • -##
  • files_mountpoint()
    • -##
  • files_pid_file()
    • -##
  • files_security_file()
    • -##
  • files_security_mountpoint()
    • -##
  • files_tmp_file()
    • -##
  • files_tmpfs_file()
    • -##
  • logging_log_file()
    • -##
  • userdom_user_home_content()
    • -##
-##

-## Example: -##

-##

-## type myfile_t; -## files_type(myfile_t) -## allow mydomain_t myfile_t:file read_file_perms; -##

-## -## -## -## Type to be used for files. -## -## -## -# - define(`files_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_type'($*)) dnl - - gen_require(` - attribute file_type, non_security_file_type, non_auth_file_type; - ') - - typeattribute $1 file_type, non_security_file_type, non_auth_file_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_type'($*)) dnl - ') - - -######################################## -## -## Mark the specified type as a file -## that is related to authentication. -## -## -## -## Type of the authentication-related -## file. -## -## -# - define(`files_auth_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_auth_file'($*)) dnl - - gen_require(` - attribute file_type, security_file_type, auth_file_type; - ') - - typeattribute $1 file_type, security_file_type, auth_file_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_auth_file'($*)) dnl - ') - - -######################################## -## -## Make the specified type a file that -## should not be dontaudited from -## browsing from user domains. -## -## -## -## Type of the file to be used as a -## member directory. -## -## -# - define(`files_security_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_security_file'($*)) dnl - - gen_require(` - attribute file_type, security_file_type, non_auth_file_type; - ') - - typeattribute $1 file_type, security_file_type, non_auth_file_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_security_file'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable for -## lock files. -## -## -## -## Type to be used for lock files. -## -## -# - define(`files_lock_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_lock_file'($*)) dnl - - gen_require(` - attribute lockfile; - ') - - files_type($1) - typeattribute $1 lockfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_lock_file'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable for -## filesystem mount points. -## -## -## -## Type to be used for mount points. -## -## -# - define(`files_mountpoint',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mountpoint'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - files_type($1) - typeattribute $1 mountpoint; - - optional_policy(` - init_mountpoint($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mountpoint'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable for -## security file filesystem mount points. -## -## -## -## Type to be used for mount points. -## -## -# - define(`files_security_mountpoint',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_security_mountpoint'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - files_security_file($1) - typeattribute $1 mountpoint; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_security_mountpoint'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable for -## runtime process ID files. -## -## -##

-## Make the specified type usable for runtime process ID files, -## typically found in /var/run. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a PID file type may result in problems with starting -## or stopping services. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_pid_filetrans()
    • -##
-##

-## Example usage with a domain that can create and -## write its PID file with a private PID file type in the -## /var/run directory: -##

-##

-## type mypidfile_t; -## files_pid_file(mypidfile_t) -## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; -## files_pid_filetrans(mydomain_t, mypidfile_t, file) -##

-## -## -## -## Type to be used for PID files. -## -## -## -# - define(`files_pid_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_pid_file'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - files_type($1) - typeattribute $1 pidfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_pid_file'($*)) dnl - ') - - -######################################## -## -## Make the specified type a -## configuration file. -## -## -##

-## Make the specified type usable for configuration files. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a temporary file may result in problems with -## configuration management tools. -##

-##

-## Example usage with a domain that can read -## its configuration file /etc: -##

-##

-## type myconffile_t; -## files_config_file(myconffile_t) -## allow mydomain_t myconffile_t:file read_file_perms; -## files_search_etc(mydomain_t) -##

-## -## -## -## Type to be used as a configuration file. -## -## -## -# - define(`files_config_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_config_file'($*)) dnl - - gen_require(` - attribute configfile; - ') - files_type($1) - typeattribute $1 configfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_config_file'($*)) dnl - ') - - -######################################## -## -## Make the specified type a -## polyinstantiated directory. -## -## -## -## Type of the file to be used as a -## polyinstantiated directory. -## -## -# - define(`files_poly',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_poly'($*)) dnl - - gen_require(` - attribute polydir; - ') - - files_type($1) - typeattribute $1 polydir; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_poly'($*)) dnl - ') - - -######################################## -## -## Make the specified type a parent -## of a polyinstantiated directory. -## -## -## -## Type of the file to be used as a -## parent directory. -## -## -# - define(`files_poly_parent',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_poly_parent'($*)) dnl - - gen_require(` - attribute polyparent; - ') - - files_type($1) - typeattribute $1 polyparent; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_poly_parent'($*)) dnl - ') - - -######################################## -## -## Make the specified type a -## polyinstantiation member directory. -## -## -## -## Type of the file to be used as a -## member directory. -## -## -# - define(`files_poly_member',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_poly_member'($*)) dnl - - gen_require(` - attribute polymember; - ') - - files_type($1) - typeattribute $1 polymember; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_poly_member'($*)) dnl - ') - - -######################################## -## -## Make the domain use the specified -## type of polyinstantiated directory. -## -## -## -## Domain using the polyinstantiated -## directory. -## -## -## -## -## Type of the file to be used as a -## member directory. -## -## -# - define(`files_poly_member_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_poly_member_tmp'($*)) dnl - - gen_require(` - type tmp_t; - ') - - type_member $1 tmp_t:dir $2; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_poly_member_tmp'($*)) dnl - ') - - -######################################## -## -## Make the specified type a file -## used for temporary files. -## -## -##

-## Make the specified type usable for temporary files. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a temporary file may result in problems with -## purging temporary files. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_tmp_filetrans()
    • -##
-##

-## Example usage with a domain that can create and -## write its temporary file in the system temporary file -## directories (/tmp or /var/tmp): -##

-##

-## type mytmpfile_t; -## files_tmp_file(mytmpfile_t) -## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms }; -## files_tmp_filetrans(mydomain_t, mytmpfile_t, file) -##

-## -## -## -## Type of the file to be used as a -## temporary file. -## -## -## -# - define(`files_tmp_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_tmp_file'($*)) dnl - - gen_require(` - attribute tmpfile; - ') - - files_type($1) - files_poly_member($1) - typeattribute $1 tmpfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_tmp_file'($*)) dnl - ') - - -######################################## -## -## Transform the type into a file, for use on a -## virtual memory filesystem (tmpfs). -## -## -## -## The type to be transformed. -## -## -# - define(`files_tmpfs_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_tmpfs_file'($*)) dnl - - gen_require(` - attribute tmpfsfile; - ') - - files_type($1) - typeattribute $1 tmpfsfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_tmpfs_file'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_all_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_all_dirs'($*)) dnl - - gen_require(` - attribute file_type; - ') - - getattr_dirs_pattern($1, file_type, file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_all_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all directories. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_all_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_dirs'($*)) dnl - - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_dirs'($*)) dnl - ') - - -######################################## -## -## List all non-security directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_non_security',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_non_security'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - list_dirs_pattern($1, non_security_file_type, non_security_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_non_security'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list all -## non-security directories. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_list_non_security',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_non_security'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_list_non_security'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on all non-security -## directories and files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_non_security',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_non_security'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - allow $1 non_security_file_type:dir mounton; - allow $1 non_security_file_type:file mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_non_security'($*)) dnl - ') - - -######################################## -## -## Allow attempts to modify any directory -## -## -## -## Domain allowed access. -## -## -# - define(`files_write_non_security_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_write_non_security_dirs'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - allow $1 non_security_file_type:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_write_non_security_dirs'($*)) dnl - ') - - -######################################## -## -## Allow attempts to manage non-security directories -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_non_security_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_non_security_dirs'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - allow $1 non_security_file_type:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_non_security_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel from/to non-security directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_non_security_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_non_security_dirs'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - relabel_dirs_pattern($1, non_security_file_type, non_security_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_non_security_dirs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_all_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - getattr_files_pattern($1, file_type, file_type) - getattr_lnk_files_pattern($1, file_type, file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_all_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all files. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of non security files. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_non_security_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_files'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete all non-security files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_non_security_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_non_security_files'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - manage_files_pattern($1, non_security_file_type, non_security_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_non_security_files'($*)) dnl - ') - - -######################################## -## -## Relabel from/to all non-security files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_relabel_non_security_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_non_security_files'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - relabel_files_pattern($1, non_security_file_type, non_security_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_non_security_files'($*)) dnl - ') - - -######################################## -## -## Read all files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - read_files_pattern($1, file_type, file_type) - - optional_policy(` - auth_read_shadow($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_files'($*)) dnl - ') - - -######################################## -## -## Allow shared library text relocations in all files. -## -## -##

-## Allow shared library text relocations in all files. -##

-##

-## This is added to support WINE policy. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`files_execmod_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_execmod_all_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:file execmod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_execmod_all_files'($*)) dnl - ') - - -######################################## -## -## Read all non-security files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_read_non_security_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_non_security_files'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - read_files_pattern($1, non_security_file_type, non_security_file_type) - read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_non_security_files'($*)) dnl - ') - - -######################################## -## -## Read all directories on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# - define(`files_read_all_dirs_except',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_dirs_except'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 { file_type $2 }:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_dirs_except'($*)) dnl - ') - - -######################################## -## -## Read all files on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# - define(`files_read_all_files_except',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_files_except'($*)) dnl - - gen_require(` - attribute file_type; - ') - - read_files_pattern($1, { file_type $2 }, { file_type $2 }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_files_except'($*)) dnl - ') - - -######################################## -## -## Read all symbolic links on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -# - define(`files_read_all_symlinks_except',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_symlinks_except'($*)) dnl - - gen_require(` - attribute file_type; - ') - - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_symlinks_except'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_all_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_all_symlinks'($*)) dnl - - gen_require(` - attribute file_type; - ') - - getattr_lnk_files_pattern($1, file_type, file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_all_symlinks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all symbolic links. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_all_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_symlinks'($*)) dnl - - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:lnk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_symlinks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read all symbolic links. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_read_all_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_all_symlinks'($*)) dnl - - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:lnk_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_read_all_symlinks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of non security symbolic links. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_non_security_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_symlinks'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:lnk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_symlinks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of non security block devices. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_non_security_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_blk_files'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:blk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_blk_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of non security character devices. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_non_security_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_chr_files'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_chr_files'($*)) dnl - ') - - -######################################## -## -## Read all symbolic links. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_read_all_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_symlinks'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - read_lnk_files_pattern($1, file_type, file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_symlinks'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_all_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_all_pipes'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - getattr_fifo_files_pattern($1, file_type, file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_all_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all named pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_all_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_pipes'($*)) dnl - - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of non security named pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_non_security_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_pipes'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_pipes'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all named sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_all_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_all_sockets'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - getattr_sock_files_pattern($1, file_type, file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_all_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all named sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_all_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_sockets'($*)) dnl - - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:sock_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of non security named sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_non_security_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_sockets'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - dontaudit $1 non_security_file_type:sock_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_sockets'($*)) dnl - ') - - -######################################## -## -## Read all block nodes with file types. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_blk_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - read_blk_files_pattern($1, file_type, file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Read all character nodes with file types. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_chr_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - read_chr_files_pattern($1, file_type, file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Relabel all files on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -## -# - define(`files_relabel_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 { file_type $2 }:dir list_dir_perms; - relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_files'($*)) dnl - ') - - -######################################## -## -## rw all files on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -## -# - define(`files_rw_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_all_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - rw_files_pattern($1, { file_type $2 }, { file_type $2 }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_all_files'($*)) dnl - ') - - -######################################## -## -## Manage all files on the filesystem, except -## the listed exceptions. -## -## -## -## Domain allowed access. -## -## -## -## -## The types to be excluded. Each type or attribute -## must be negated by the caller. -## -## -## -# - define(`files_manage_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_all_files'($*)) dnl - - gen_require(` - attribute file_type; - ') - - manage_dirs_pattern($1, { file_type $2 }, { file_type $2 }) - manage_files_pattern($1, { file_type $2 }, { file_type $2 }) - manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) - manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) - manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - - # satisfy the assertions: - seutil_create_bin_policy($1) - files_manage_kernel_modules($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_all_files'($*)) dnl - ') - - -######################################## -## -## Search the contents of all directories on -## extended attribute filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_all'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_all'($*)) dnl - ') - - -######################################## -## -## List the contents of all directories on -## extended attribute filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_all'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_all'($*)) dnl - ') - - -######################################## -## -## Create all files as is. -## -## -## -## Domain allowed access. -## -## -# - define(`files_create_all_files_as',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_all_files_as'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:kernel_service create_files_as; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_all_files_as'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the -## contents of any directories on extended -## attribute filesystems. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_all_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_dirs'($*)) dnl - - gen_require(` - attribute file_type; - ') - - dontaudit $1 file_type:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_dirs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all filesystems -## with the type of a file. -## -## -## -## Domain allowed access. -## -## -# -# dwalsh: This interface is to allow quotacheck to work on a -# a filesystem mounted with the --context switch -# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957 -# - define(`files_getattr_all_file_type_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_all_file_type_fs'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_all_file_type_fs'($*)) dnl - ') - - -######################################## -## -## Relabel a filesystem to the type of a file. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelto_all_file_type_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelto_all_file_type_fs'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelto_all_file_type_fs'($*)) dnl - ') - - -######################################## -## -## Relabel a filesystem to and from the type of a file. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_all_file_type_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_file_type_fs'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_file_type_fs'($*)) dnl - ') - - -######################################## -## -## Mount all filesystems with the type of a file. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mount_all_file_type_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mount_all_file_type_fs'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mount_all_file_type_fs'($*)) dnl - ') - - -######################################## -## -## Unmount all filesystems with the type of a file. -## -## -## -## Domain allowed access. -## -## -# - define(`files_unmount_all_file_type_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_unmount_all_file_type_fs'($*)) dnl - - gen_require(` - attribute file_type; - ') - - allow $1 file_type:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_unmount_all_file_type_fs'($*)) dnl - ') - - -######################################## -## -## Read all non-authentication related -## directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_non_auth_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_non_auth_dirs'($*)) dnl - - gen_require(` - attribute non_auth_file_type; - ') - - allow $1 non_auth_file_type:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_non_auth_dirs'($*)) dnl - ') - - -######################################## -## -## Read all non-authentication related -## files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_non_auth_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_non_auth_files'($*)) dnl - - gen_require(` - attribute non_auth_file_type; - ') - - read_files_pattern($1, non_auth_file_type, non_auth_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_non_auth_files'($*)) dnl - ') - - -######################################## -## -## Read all non-authentication related -## symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_non_auth_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_non_auth_symlinks'($*)) dnl - - gen_require(` - attribute non_auth_file_type; - ') - - read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_non_auth_symlinks'($*)) dnl - ') - - -######################################## -## -## rw non-authentication related files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_non_auth_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_non_auth_files'($*)) dnl - - gen_require(` - attribute non_auth_file_type; - ') - - rw_files_pattern($1, non_auth_file_type, non_auth_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_non_auth_files'($*)) dnl - ') - - -######################################## -## -## Manage non-authentication related -## files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_non_auth_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_non_auth_files'($*)) dnl - - gen_require(` - attribute non_auth_file_type; - ') - - manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type) - manage_files_pattern($1, non_auth_file_type, non_auth_file_type) - manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) - manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) - manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) - - # satisfy the assertions: - seutil_create_bin_policy($1) - files_manage_kernel_modules($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_non_auth_files'($*)) dnl - ') - - -######################################## -## -## Mmap non-authentication related -## files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_map_non_auth_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_map_non_auth_files'($*)) dnl - - gen_require(` - attribute non_auth_file_type; - ') - - allow $1 non_auth_file_type:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_map_non_auth_files'($*)) dnl - ') - - -######################################## -## -## Relabel all non-authentication related -## files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_relabel_non_auth_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_non_auth_files'($*)) dnl - - gen_require(` - attribute non_auth_file_type; - ') - - allow $1 non_auth_file_type:dir list_dir_perms; - relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type) - relabel_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) - - # satisfy the assertions: - # seutil_relabelto_bin_policy($1) - # Gentoo: this is removed as we do not want to set attributes in this phase, we want - # to allow files_relabel_non_auth_files to be an optional setting (tunable). - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_non_auth_files'($*)) dnl - ') - - -############################################# -## -## Manage all configuration directories on filesystem -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_config_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_config_dirs'($*)) dnl - - gen_require(` - attribute configfile; - ') - - manage_dirs_pattern($1, configfile, configfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_config_dirs'($*)) dnl - ') - - -######################################### -## -## Relabel configuration directories -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_relabel_config_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_config_dirs'($*)) dnl - - gen_require(` - attribute configfile; - ') - - relabel_dirs_pattern($1, configfile, configfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_config_dirs'($*)) dnl - ') - - -######################################## -## -## Read config files in /etc. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_config_files'($*)) dnl - - gen_require(` - attribute configfile; - ') - - allow $1 configfile:dir list_dir_perms; - read_files_pattern($1, configfile, configfile) - read_lnk_files_pattern($1, configfile, configfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_config_files'($*)) dnl - ') - - -########################################### -## -## Manage all configuration files on filesystem -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_config_files'($*)) dnl - - gen_require(` - attribute configfile; - ') - - manage_files_pattern($1, configfile, configfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_config_files'($*)) dnl - ') - - -####################################### -## -## Relabel configuration files -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_relabel_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_config_files'($*)) dnl - - gen_require(` - attribute configfile; - ') - - relabel_files_pattern($1, configfile, configfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_config_files'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on all mount points. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir { search_dir_perms mounton }; - allow $1 mountpoint:file { getattr mounton }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all mount points. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## Set the attributes of all mount points. -## -## -## -## Domain allowed access. -## -## -# - define(`files_setattr_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_setattr_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_setattr_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes on all mount points. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_setattr_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## Search all mount points. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## Do not audit searching of all mount points. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## List all mount points. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - allow $1 mountpoint:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## Do not audit listing of all mount points. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_list_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_list_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write to mount points. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_write_all_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_mountpoints'($*)) dnl - - gen_require(` - attribute mountpoint; - ') - - dontaudit $1 mountpoint:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_mountpoints'($*)) dnl - ') - - -######################################## -## -## List the contents of the root directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_root',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_root'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_root'($*)) dnl - ') - - -######################################## -## -## Delete symbolic links in the -## root directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_root_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_root_symlinks'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:lnk_file delete_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_root_symlinks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write to / dirs. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_write_root_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_root_dirs'($*)) dnl - - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_root_dirs'($*)) dnl - ') - - -################### -## -## Do not audit attempts to write -## files in the root directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_rw_root_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_dir'($*)) dnl - - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:dir rw_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_dir'($*)) dnl - ') - - -######################################## -## -## Watch the root directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_watch_root_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_watch_root_dirs'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_watch_root_dirs'($*)) dnl - ') - - -######################################## -## -## Create an object in the root directory, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_root_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_root_filetrans'($*)) dnl - - gen_require(` - type root_t; - ') - - filetrans_pattern($1, root_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_root_filetrans'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read files in -## the root directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_read_root_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_root_files'($*)) dnl - - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_read_root_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## files in the root directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_rw_root_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_files'($*)) dnl - - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## character device nodes in the root directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_rw_root_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_chr_files'($*)) dnl - - gen_require(` - type root_t; - ') - - dontaudit $1 root_t:chr_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_chr_files'($*)) dnl - ') - - -######################################## -## -## Delete character device nodes in -## the root directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_root_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_root_chr_files'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:chr_file delete_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_root_chr_files'($*)) dnl - ') - - -######################################## -## -## Delete files in the root directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_root_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_root_files'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:file unlink; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_root_files'($*)) dnl - ') - - -######################################## -## -## Execute files in the root directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_exec_root_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_exec_root_files'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:file exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_exec_root_files'($*)) dnl - ') - - -######################################## -## -## Remove entries from the root directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_root_dir_entry',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_root_dir_entry'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:dir rw_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_root_dir_entry'($*)) dnl - ') - - -######################################## -## -## Manage the root directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_root_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_root_dir'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_root_dir'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a rootfs -## file system. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_rootfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_rootfs'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_rootfs'($*)) dnl - ') - - -######################################## -## -## Associate to root file system. -## -## -## -## Type of the file to associate. -## -## -# - define(`files_associate_rootfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_associate_rootfs'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_associate_rootfs'($*)) dnl - ') - - -######################################## -## -## Relabel to and from rootfs file system. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_rootfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_rootfs'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:filesystem { relabelto relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_rootfs'($*)) dnl - ') - - -######################################## -## -## Unmount a rootfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`files_unmount_rootfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_unmount_rootfs'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_unmount_rootfs'($*)) dnl - ') - - -######################################## -## -## Mount on the root directory (/) -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_root',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_root'($*)) dnl - - gen_require(` - type root_t; - ') - - allow $1 root_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_root'($*)) dnl - ') - - -######################################## -## -## Get attributes of the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_boot_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_boot_dirs'($*)) dnl - - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_boot_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get attributes -## of the /boot directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_boot_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_boot_dirs'($*)) dnl - - gen_require(` - type boot_t; - ') - - dontaudit $1 boot_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_boot_dirs'($*)) dnl - ') - - -######################################## -## -## Search the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_boot',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_boot'($*)) dnl - - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_boot'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the /boot directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_boot',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_boot'($*)) dnl - - gen_require(` - type boot_t; - ') - - dontaudit $1 boot_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_boot'($*)) dnl - ') - - -######################################## -## -## List the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_boot',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_boot'($*)) dnl - - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_boot'($*)) dnl - ') - - -####################################### -## -## Do not audit attempts to list the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_dontaudit_list_boot',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_boot'($*)) dnl - - gen_require(` - type boot_t; - ') - - dontaudit $1 boot_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_list_boot'($*)) dnl - ') - - -######################################## -## -## Create directories in /boot -## -## -## -## Domain allowed access. -## -## -# - define(`files_create_boot_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_boot_dirs'($*)) dnl - - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir { create rw_dir_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_boot_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## directories in /boot. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_boot_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_boot_dirs'($*)) dnl - - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_boot_dirs'($*)) dnl - ') - - -######################################## -## -## Create a private type object in boot -## with an automatic type transition -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_boot_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_boot_filetrans'($*)) dnl - - gen_require(` - type boot_t; - ') - - filetrans_pattern($1, boot_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_boot_filetrans'($*)) dnl - ') - - -######################################## -## -## read files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_read_boot_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_boot_files'($*)) dnl - - gen_require(` - type boot_t; - ') - - read_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_boot_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files -## in the /boot directory. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_boot_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_boot_files'($*)) dnl - - gen_require(` - type boot_t; - ') - - manage_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_boot_files'($*)) dnl - ') - - -######################################## -## -## Relabel from files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelfrom_boot_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelfrom_boot_files'($*)) dnl - - gen_require(` - type boot_t; - ') - - relabelfrom_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelfrom_boot_files'($*)) dnl - ') - - -###################################### -## -## Read symbolic links in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_boot_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_boot_symlinks'($*)) dnl - - gen_require(` - type boot_t; - ') - - read_lnk_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_boot_symlinks'($*)) dnl - ') - - -######################################## -## -## Read and write symbolic links -## in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_boot_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_boot_symlinks'($*)) dnl - - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir list_dir_perms; - rw_lnk_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_boot_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete symbolic links -## in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_boot_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_boot_symlinks'($*)) dnl - - gen_require(` - type boot_t; - ') - - manage_lnk_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_boot_symlinks'($*)) dnl - ') - - -######################################## -## -## Read kernel files in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_kernel_img',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_kernel_img'($*)) dnl - - gen_require(` - type boot_t; - ') - - allow $1 boot_t:dir list_dir_perms; - read_files_pattern($1, boot_t, boot_t) - read_lnk_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_kernel_img'($*)) dnl - ') - - -######################################## -## -## Install a kernel into the /boot directory. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_create_kernel_img',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_kernel_img'($*)) dnl - - gen_require(` - type boot_t; - ') - - allow $1 boot_t:file { create_file_perms rw_file_perms }; - manage_lnk_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_kernel_img'($*)) dnl - ') - - -######################################## -## -## Delete a kernel from /boot. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_delete_kernel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_kernel'($*)) dnl - - gen_require(` - type boot_t; - ') - - delete_files_pattern($1, boot_t, boot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_kernel'($*)) dnl - ') - - -######################################## -## -## Getattr of directories with the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_default_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_default_dirs'($*)) dnl - - gen_require(` - type default_t; - ') - - allow $1 default_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_default_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## directories with the default file type. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_default_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_default_dirs'($*)) dnl - - gen_require(` - type default_t; - ') - - dontaudit $1 default_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_default_dirs'($*)) dnl - ') - - -######################################## -## -## Search the contents of directories with the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_default',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_default'($*)) dnl - - gen_require(` - type default_t; - ') - - allow $1 default_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_default'($*)) dnl - ') - - -######################################## -## -## List contents of directories with the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_default',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_default'($*)) dnl - - gen_require(` - type default_t; - ') - - allow $1 default_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_default'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list contents of -## directories with the default file type. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_list_default',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_default'($*)) dnl - - gen_require(` - type default_t; - ') - - dontaudit $1 default_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_list_default'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete directories with -## the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_default_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_default_dirs'($*)) dnl - - gen_require(` - type default_t; - ') - - manage_dirs_pattern($1, default_t, default_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_default_dirs'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on a directory with the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_default',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_default'($*)) dnl - - gen_require(` - type default_t; - ') - - allow $1 default_t:dir { search_dir_perms mounton }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_default'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## files with the default file type. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_default_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_default_files'($*)) dnl - - gen_require(` - type default_t; - ') - - dontaudit $1 default_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_default_files'($*)) dnl - ') - - -######################################## -## -## Read files with the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_default_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_default_files'($*)) dnl - - gen_require(` - type default_t; - ') - - allow $1 default_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_default_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read files -## with the default file type. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_read_default_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_default_files'($*)) dnl - - gen_require(` - type default_t; - ') - - dontaudit $1 default_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_read_default_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files with -## the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_default_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_default_files'($*)) dnl - - gen_require(` - type default_t; - ') - - manage_files_pattern($1, default_t, default_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_default_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links with the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_default_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_default_symlinks'($*)) dnl - - gen_require(` - type default_t; - ') - - allow $1 default_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_default_symlinks'($*)) dnl - ') - - -######################################## -## -## Read sockets with the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_default_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_default_sockets'($*)) dnl - - gen_require(` - type default_t; - ') - - allow $1 default_t:sock_file read_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_default_sockets'($*)) dnl - ') - - -######################################## -## -## Read named pipes with the default file type. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_default_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_default_pipes'($*)) dnl - - gen_require(` - type default_t; - ') - - allow $1 default_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_default_pipes'($*)) dnl - ') - - -######################################## -## -## Search the contents of /etc directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_etc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_etc'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_etc'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the /etc directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_setattr_etc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_setattr_etc_dirs'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_setattr_etc_dirs'($*)) dnl - ') - - -######################################## -## -## List the contents of /etc directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_etc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_etc'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_etc'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write to /etc dirs. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_write_etc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_dirs'($*)) dnl - - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_dirs'($*)) dnl - ') - - -######################################## -## -## Add and remove entries from /etc directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_etc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_etc_dirs'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir rw_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_etc_dirs'($*)) dnl - ') - - -########################################## -## -## Manage generic directories in /etc -## -## -## -## Domain allowed access -## -## -## -# - define(`files_manage_etc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_etc_dirs'($*)) dnl - - gen_require(` - type etc_t; - ') - - manage_dirs_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_etc_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel directories to etc_t. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelto_etc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelto_etc_dirs'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelto_etc_dirs'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on the -## etc directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_etc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_etc_dirs'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_etc_dirs'($*)) dnl - ') - - -######################################## -## -## Watch /etc directories -## -## -## -## Domain allowed access. -## -## -# - define(`files_watch_etc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_watch_etc_dirs'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_watch_etc_dirs'($*)) dnl - ') - - -######################################## -## -## Read generic files in /etc. -## -## -##

-## Allow the specified domain to read generic -## files in /etc. These files are typically -## general system configuration files that do -## not have more specific SELinux types. Some -## examples of these files are: -##

-##
    -##
  • /etc/fstab
    • -##
  • /etc/passwd
    • -##
  • /etc/services
    • -##
  • /etc/shells
    • -##
-##

-## This interface does not include access to /etc/shadow. -##

-##

-## Generally, it is safe for many domains to have -## this access. However, since this interface provides -## access to the /etc/passwd file, caution must be -## exercised, as user account names can be leaked -## through this access. -##

-##

-## Related interfaces: -##

-##
    -##
  • auth_read_shadow()
    • -##
  • files_read_etc_runtime_files()
    • -##
  • seutil_read_config()
    • -##
-## -## -## -## Domain allowed access. -## -## -## -# - define(`files_read_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_etc_files'($*)) dnl - ') - - -######################################## -## -## Map generic files in /etc. -## -## -##

-## Allow the specified domain to map generic files in /etc. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_read_etc_files()
    • -##
-## -## -## -## Domain allowed access. -## -## -## -# - define(`files_map_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_map_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_map_etc_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write generic files in /etc. -## -## -## -## Domain allowed access. -## -## -# - define(`files_dontaudit_write_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_files'($*)) dnl - ') - - -######################################## -## -## Read and write generic files in /etc. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_rw_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - rw_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_etc_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete generic -## files in /etc. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - manage_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_etc_files'($*)) dnl - ') - - -######################################## -## -## Delete system configuration files in /etc. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - delete_files_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_etc_files'($*)) dnl - ') - - -######################################## -## -## Execute generic files in /etc. -## -## -## -## Domain allowed access. -## -## -# - define(`files_exec_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_exec_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - read_lnk_files_pattern($1, etc_t, etc_t) - exec_files_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_exec_etc_files'($*)) dnl - ') - - -######################################## -## -## Get etc_t service status. -## -## -## -## Domain allowed access. -## -## -# - define(`files_get_etc_unit_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_get_etc_unit_status'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_get_etc_unit_status'($*)) dnl - ') - - -######################################## -## -## start etc_t service -## -## -## -## Domain allowed access. -## -## -# - define(`files_start_etc_service',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_start_etc_service'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:service start; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_start_etc_service'($*)) dnl - ') - - -######################################## -## -## stop etc_t service -## -## -## -## Domain allowed access. -## -## -# - define(`files_stop_etc_service',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_stop_etc_service'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:service stop; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_stop_etc_service'($*)) dnl - ') - - -####################################### -## -## Relabel from and to generic files in /etc. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - allow $1 etc_t:dir list_dir_perms; - relabel_files_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_etc_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links in /etc. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_etc_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_etc_symlinks'($*)) dnl - - gen_require(` - type etc_t; - ') - - read_lnk_files_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_etc_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete symbolic links in /etc. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_etc_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_etc_symlinks'($*)) dnl - - gen_require(` - type etc_t; - ') - - manage_lnk_files_pattern($1, etc_t, etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_etc_symlinks'($*)) dnl - ') - - -######################################## -## -## Create objects in /etc with a private -## type using a type_transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Object classes to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_etc_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_etc_filetrans'($*)) dnl - - gen_require(` - type etc_t; - ') - - filetrans_pattern($1, etc_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_etc_filetrans'($*)) dnl - ') - - -######################################## -## -## Create a boot flag. -## -## -##

-## Create a boot flag, such as -## /.autorelabel and /.autofsck. -##

-## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -## -# - define(`files_create_boot_flag',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_boot_flag'($*)) dnl - - gen_require(` - type root_t, etc_runtime_t; - ') - - allow $1 etc_runtime_t:file manage_file_perms; - filetrans_pattern($1, root_t, etc_runtime_t, file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_boot_flag'($*)) dnl - ') - - -######################################## -## -## Delete a boot flag. -## -## -##

-## Delete a boot flag, such as -## /.autorelabel and /.autofsck. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`files_delete_boot_flag',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_boot_flag'($*)) dnl - - gen_require(` - type root_t, etc_runtime_t; - ') - - delete_files_pattern($1, root_t, etc_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_boot_flag'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the -## etc_runtime directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_etc_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_etc_runtime_dirs'($*)) dnl - - gen_require(` - type etc_runtime_t; - ') - - allow $1 etc_runtime_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_etc_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on the -## etc_runtime directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_etc_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_etc_runtime_dirs'($*)) dnl - - gen_require(` - type etc_runtime_t; - ') - - allow $1 etc_runtime_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_etc_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to etc_runtime_t dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelto_etc_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelto_etc_runtime_dirs'($*)) dnl - - gen_require(` - type etc_runtime_t; - ') - - allow $1 etc_runtime_t:dir relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelto_etc_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes of the etc_runtime files -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_setattr_etc_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_etc_runtime_files'($*)) dnl - - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_etc_runtime_files'($*)) dnl - ') - - -######################################## -## -## Read files in /etc that are dynamically -## created on boot, such as mtab. -## -## -##

-## Allow the specified domain to read dynamically created -## configuration files in /etc. These files are typically -## general system configuration files that do -## not have more specific SELinux types. Some -## examples of these files are: -##

-##
    -##
  • /etc/motd
    • -##
  • /etc/mtab
    • -##
  • /etc/nologin
    • -##
-##

-## This interface does not include access to /etc/shadow. -##

-## -## -## -## Domain allowed access. -## -## -## -## -# - define(`files_read_etc_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_etc_runtime_files'($*)) dnl - - gen_require(` - type etc_t, etc_runtime_t; - ') - - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_runtime_t) - read_lnk_files_pattern($1, etc_t, etc_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_etc_runtime_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read files -## in /etc that are dynamically -## created on boot, such as mtab. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_read_etc_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_etc_runtime_files'($*)) dnl - - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_read_etc_runtime_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read files -## in /etc -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_read_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_etc_files'($*)) dnl - - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_read_etc_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write -## etc runtime files. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_write_etc_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_runtime_files'($*)) dnl - - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_runtime_files'($*)) dnl - ') - - -######################################## -## -## Read and write files in /etc that are dynamically -## created on boot, such as mtab. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_rw_etc_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_etc_runtime_files'($*)) dnl - - gen_require(` - type etc_t, etc_runtime_t; - ') - - allow $1 etc_t:dir list_dir_perms; - rw_files_pattern($1, etc_t, etc_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_etc_runtime_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files in -## /etc that are dynamically created on boot, -## such as mtab. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_etc_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_etc_runtime_files'($*)) dnl - - gen_require(` - type etc_t, etc_runtime_t; - ') - - manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_etc_runtime_files'($*)) dnl - ') - - -######################################## -## -## Relabel to etc_runtime_t files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelto_etc_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelto_etc_runtime_files'($*)) dnl - - gen_require(` - type etc_runtime_t; - ') - - allow $1 etc_runtime_t:file relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelto_etc_runtime_files'($*)) dnl - ') - - -######################################## -## -## Create, etc runtime objects with an automatic -## type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_etc_filetrans_etc_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_etc_filetrans_etc_runtime'($*)) dnl - - gen_require(` - type etc_t, etc_runtime_t; - ') - - filetrans_pattern($1, etc_t, etc_runtime_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_etc_filetrans_etc_runtime'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the home directories root -## (/home). -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_home_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_home_dir'($*)) dnl - - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir getattr; - allow $1 home_root_t:lnk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_home_dir'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## attributes of the home directories root -## (/home). -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_home_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_home_dir'($*)) dnl - - gen_require(` - type home_root_t; - ') - - dontaudit $1 home_root_t:dir getattr; - dontaudit $1 home_root_t:lnk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_home_dir'($*)) dnl - ') - - -######################################## -## -## Search home directories root (/home). -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_home'($*)) dnl - - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir search_dir_perms; - allow $1 home_root_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_home'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## home directories root (/home). -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_home'($*)) dnl - - gen_require(` - type home_root_t; - ') - - dontaudit $1 home_root_t:dir search_dir_perms; - dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_home'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list -## home directories root (/home). -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_list_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_home'($*)) dnl - - gen_require(` - type home_root_t; - ') - - dontaudit $1 home_root_t:dir list_dir_perms; - dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_list_home'($*)) dnl - ') - - -######################################## -## -## Get listing of home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_home'($*)) dnl - - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir list_dir_perms; - allow $1 home_root_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_home'($*)) dnl - ') - - -######################################## -## -## Relabel to user home root (/home). -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelto_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelto_home'($*)) dnl - - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelto_home'($*)) dnl - ') - - -######################################## -## -## Relabel from user home root (/home). -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelfrom_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelfrom_home'($*)) dnl - - gen_require(` - type home_root_t; - ') - - allow $1 home_root_t:dir relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelfrom_home'($*)) dnl - ') - - -######################################## -## -## Create objects in /home. -## -## -## -## Domain allowed access. -## -## -## -## -## The private type. -## -## -## -## -## The class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_home_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_home_filetrans'($*)) dnl - - gen_require(` - type home_root_t; - ') - - filetrans_pattern($1, home_root_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_home_filetrans'($*)) dnl - ') - - -######################################## -## -## Get the attributes of lost+found directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_lost_found_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_lost_found_dirs'($*)) dnl - - gen_require(` - type lost_found_t; - ') - - allow $1 lost_found_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_lost_found_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## lost+found directories. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_lost_found_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_lost_found_dirs'($*)) dnl - - gen_require(` - type lost_found_t; - ') - - dontaudit $1 lost_found_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_lost_found_dirs'($*)) dnl - ') - - -####################################### -## -## List the contents of lost+found directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_lost_found',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_lost_found'($*)) dnl - - gen_require(` - type lost_found_t; - ') - - allow $1 lost_found_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_lost_found'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete objects in -## lost+found directories. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_lost_found',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_lost_found'($*)) dnl - - gen_require(` - type lost_found_t; - ') - - manage_dirs_pattern($1, lost_found_t, lost_found_t) - manage_files_pattern($1, lost_found_t, lost_found_t) - manage_lnk_files_pattern($1, lost_found_t, lost_found_t) - manage_fifo_files_pattern($1, lost_found_t, lost_found_t) - manage_sock_files_pattern($1, lost_found_t, lost_found_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_lost_found'($*)) dnl - ') - - -######################################## -## -## Search the contents of /mnt. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_mnt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_mnt'($*)) dnl - - gen_require(` - type mnt_t; - ') - - allow $1 mnt_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_mnt'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search /mnt. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_mnt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_mnt'($*)) dnl - - gen_require(` - type mnt_t; - ') - - dontaudit $1 mnt_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_mnt'($*)) dnl - ') - - -######################################## -## -## List the contents of /mnt. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_mnt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_mnt'($*)) dnl - - gen_require(` - type mnt_t; - ') - - allow $1 mnt_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_mnt'($*)) dnl - ') - - -###################################### -## -## Do not audit attempts to list the contents of /mnt. -## -## -## -## Domain allowed access. -## -## -# - define(`files_dontaudit_list_mnt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_mnt'($*)) dnl - - gen_require(` - type mnt_t; - ') - - dontaudit $1 mnt_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_list_mnt'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on /mnt. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_mnt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_mnt'($*)) dnl - - gen_require(` - type mnt_t; - ') - - allow $1 mnt_t:dir { search_dir_perms mounton }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_mnt'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete directories in /mnt. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_mnt_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_mnt_dirs'($*)) dnl - - gen_require(` - type mnt_t; - ') - - allow $1 mnt_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_mnt_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files in /mnt. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_mnt_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_mnt_files'($*)) dnl - - gen_require(` - type mnt_t; - ') - - manage_files_pattern($1, mnt_t, mnt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_mnt_files'($*)) dnl - ') - - -######################################## -## -## read files in /mnt. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_mnt_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_mnt_files'($*)) dnl - - gen_require(` - type mnt_t; - ') - - read_files_pattern($1, mnt_t, mnt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_mnt_files'($*)) dnl - ') - - -###################################### -## -## Read symbolic links in /mnt. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_mnt_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_mnt_symlinks'($*)) dnl - - gen_require(` - type mnt_t; - ') - - read_lnk_files_pattern($1, mnt_t, mnt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_mnt_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete symbolic links in /mnt. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_mnt_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_mnt_symlinks'($*)) dnl - - gen_require(` - type mnt_t; - ') - - manage_lnk_files_pattern($1, mnt_t, mnt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_mnt_symlinks'($*)) dnl - ') - - -######################################## -## -## Search the contents of the kernel module directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir search_dir_perms; - read_lnk_files_pattern($1, modules_object_t, modules_object_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_kernel_modules'($*)) dnl - ') - - -######################################## -## -## List the contents of the kernel module directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir list_dir_perms; - read_lnk_files_pattern($1, modules_object_t, modules_object_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_kernel_modules'($*)) dnl - ') - - -######################################## -## -## Get the attributes of kernel module files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - getattr_files_pattern($1, modules_object_t, modules_object_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_kernel_modules'($*)) dnl - ') - - -######################################## -## -## Read kernel module files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir list_dir_perms; - read_files_pattern($1, modules_object_t, modules_object_t) - read_lnk_files_pattern($1, modules_object_t, modules_object_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_kernel_modules'($*)) dnl - ') - - -######################################## -## -## Write kernel module files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_write_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_write_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir list_dir_perms; - write_files_pattern($1, modules_object_t, modules_object_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_write_kernel_modules'($*)) dnl - ') - - -######################################## -## -## Delete kernel module files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - delete_files_pattern($1, modules_object_t, modules_object_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_kernel_modules'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kernel module files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - allow $1 modules_object_t:dir rw_dir_perms; - manage_files_pattern($1, modules_object_t, modules_object_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_kernel_modules'($*)) dnl - ') - - -######################################## -## -## Relabel from and to kernel module files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - relabel_files_pattern($1, modules_object_t, modules_object_t) - allow $1 modules_object_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_kernel_modules'($*)) dnl - ') - - -######################################## -## -## Create objects in the kernel module directories -## with a private type via an automatic type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_kernel_modules_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_kernel_modules_filetrans'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - filetrans_pattern($1, modules_object_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_kernel_modules_filetrans'($*)) dnl - ') - - -######################################## -## -## Load kernel module files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_load_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_load_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - files_read_kernel_modules($1) - allow $1 modules_object_t:system module_load; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_load_kernel_modules'($*)) dnl - ') - - -######################################## -## -## List world-readable directories. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_list_world_readable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_world_readable'($*)) dnl - - gen_require(` - type readable_t; - ') - - allow $1 readable_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_world_readable'($*)) dnl - ') - - -######################################## -## -## Read world-readable files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_read_world_readable_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_world_readable_files'($*)) dnl - - gen_require(` - type readable_t; - ') - - allow $1 readable_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_world_readable_files'($*)) dnl - ') - - -######################################## -## -## Read world-readable symbolic links. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_read_world_readable_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_world_readable_symlinks'($*)) dnl - - gen_require(` - type readable_t; - ') - - allow $1 readable_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_world_readable_symlinks'($*)) dnl - ') - - -######################################## -## -## Read world-readable named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_world_readable_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_world_readable_pipes'($*)) dnl - - gen_require(` - type readable_t; - ') - - allow $1 readable_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_world_readable_pipes'($*)) dnl - ') - - -######################################## -## -## Read world-readable sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_world_readable_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_world_readable_sockets'($*)) dnl - - gen_require(` - type readable_t; - ') - - allow $1 readable_t:sock_file read_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_world_readable_sockets'($*)) dnl - ') - - -######################################## -## -## Allow the specified type to associate -## to a filesystem with the type of the -## temporary directory (/tmp). -## -## -## -## Type of the file to associate. -## -## -# - define(`files_associate_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_associate_tmp'($*)) dnl - - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_associate_tmp'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_tmp_dirs'($*)) dnl - - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## attributes of the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# - define(`files_dontaudit_getattr_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_tmp_dirs'($*)) dnl - - gen_require(` - type tmp_t; - ') - - dontaudit $1 tmp_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Search the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_tmp'($*)) dnl - - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_tmp'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the tmp directory (/tmp). -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_tmp'($*)) dnl - - gen_require(` - type tmp_t; - ') - - dontaudit $1 tmp_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_tmp'($*)) dnl - ') - - -######################################## -## -## Read the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_tmp'($*)) dnl - - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_tmp'($*)) dnl - ') - - -######################################## -## -## Do not audit listing of the tmp directory (/tmp). -## -## -## -## Domain not to audit. -## -## -# - define(`files_dontaudit_list_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_tmp'($*)) dnl - - gen_require(` - type tmp_t; - ') - - dontaudit $1 tmp_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_list_tmp'($*)) dnl - ') - - -######################################## -## -## Remove entries from the tmp directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_tmp_dir_entry',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_tmp_dir_entry'($*)) dnl - - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir del_entry_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_tmp_dir_entry'($*)) dnl - ') - - -######################################## -## -## Read files in the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_generic_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_generic_tmp_files'($*)) dnl - - gen_require(` - type tmp_t; - ') - - read_files_pattern($1, tmp_t, tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_generic_tmp_files'($*)) dnl - ') - - -######################################## -## -## Manage temporary directories in /tmp. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_generic_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_generic_tmp_dirs'($*)) dnl - - gen_require(` - type tmp_t; - ') - - manage_dirs_pattern($1, tmp_t, tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_generic_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Manage temporary files and directories in /tmp. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_generic_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_generic_tmp_files'($*)) dnl - - gen_require(` - type tmp_t; - ') - - manage_files_pattern($1, tmp_t, tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_generic_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links in the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_generic_tmp_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_generic_tmp_symlinks'($*)) dnl - - gen_require(` - type tmp_t; - ') - - read_lnk_files_pattern($1, tmp_t, tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_generic_tmp_symlinks'($*)) dnl - ') - - -######################################## -## -## Read and write generic named sockets in the tmp directory (/tmp). -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_generic_tmp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_generic_tmp_sockets'($*)) dnl - - gen_require(` - type tmp_t; - ') - - rw_sock_files_pattern($1, tmp_t, tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_generic_tmp_sockets'($*)) dnl - ') - - -######################################## -## -## Mount filesystems in the tmp directory (/tmp) -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_tmp'($*)) dnl - - gen_require(` - type tmp_t; - ') - - allow $1 tmp_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_tmp'($*)) dnl - ') - - -######################################## -## -## Set the attributes of all tmp directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_setattr_all_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_setattr_all_tmp_dirs'($*)) dnl - - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:dir { search_dir_perms setattr }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_setattr_all_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## List all tmp directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_all_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_all_tmp'($*)) dnl - - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_all_tmp'($*)) dnl - ') - - -######################################## -## -## Relabel to and from all temporary -## directory types. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_relabel_all_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_tmp_dirs'($*)) dnl - - gen_require(` - attribute tmpfile; - type var_t; - ') - - allow $1 var_t:dir search_dir_perms; - relabel_dirs_pattern($1, tmpfile, tmpfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all tmp files. -## -## -## -## Domain not to audit. -## -## -# - define(`files_dontaudit_getattr_all_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_tmp_files'($*)) dnl - - gen_require(` - attribute tmpfile; - ') - - dontaudit $1 tmpfile:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_tmp_files'($*)) dnl - ') - - -######################################## -## -## Allow attempts to get the attributes -## of all tmp files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_all_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_all_tmp_files'($*)) dnl - - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_all_tmp_files'($*)) dnl - ') - - -######################################## -## -## Relabel to and from all temporary -## file types. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_relabel_all_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_tmp_files'($*)) dnl - - gen_require(` - attribute tmpfile; - type var_t; - ') - - allow $1 var_t:dir search_dir_perms; - relabel_files_pattern($1, tmpfile, tmpfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all tmp sock_file. -## -## -## -## Domain not to audit. -## -## -# - define(`files_dontaudit_getattr_all_tmp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_tmp_sockets'($*)) dnl - - gen_require(` - attribute tmpfile; - ') - - dontaudit $1 tmpfile:sock_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_tmp_sockets'($*)) dnl - ') - - -######################################## -## -## Read all tmp files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_all_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_tmp_files'($*)) dnl - - gen_require(` - attribute tmpfile; - ') - - read_files_pattern($1, tmpfile, tmpfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_tmp_files'($*)) dnl - ') - - -######################################## -## -## Create an object in the tmp directories, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_tmp_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_tmp_filetrans'($*)) dnl - - gen_require(` - type tmp_t; - ') - - filetrans_pattern($1, tmp_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_tmp_filetrans'($*)) dnl - ') - - -######################################## -## -## Delete the contents of /tmp. -## -## -## -## Domain allowed access. -## -## -# - define(`files_purge_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_purge_tmp'($*)) dnl - - gen_require(` - attribute tmpfile; - ') - - allow $1 tmpfile:dir list_dir_perms; - delete_dirs_pattern($1, tmpfile, tmpfile) - delete_files_pattern($1, tmpfile, tmpfile) - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_purge_tmp'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the /usr directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_setattr_usr_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_setattr_usr_dirs'($*)) dnl - - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_setattr_usr_dirs'($*)) dnl - ') - - -######################################## -## -## Search the content of /usr. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_usr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_usr'($*)) dnl - - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_usr'($*)) dnl - ') - - -######################################## -## -## List the contents of generic -## directories in /usr. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_usr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_usr'($*)) dnl - - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_usr'($*)) dnl - ') - - -######################################## -## -## Do not audit write of /usr dirs -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_write_usr_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_usr_dirs'($*)) dnl - - gen_require(` - type usr_t; - ') - - dontaudit $1 usr_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_usr_dirs'($*)) dnl - ') - - -######################################## -## -## Add and remove entries from /usr directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_usr_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_usr_dirs'($*)) dnl - - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir rw_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_usr_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to add and remove -## entries from /usr directories. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_rw_usr_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_usr_dirs'($*)) dnl - - gen_require(` - type usr_t; - ') - - dontaudit $1 usr_t:dir rw_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_usr_dirs'($*)) dnl - ') - - -######################################## -## -## Delete generic directories in /usr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_usr_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_usr_dirs'($*)) dnl - - gen_require(` - type usr_t; - ') - - delete_dirs_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_usr_dirs'($*)) dnl - ') - - -######################################## -## -## Watch generic directories in /usr. -## -## -## -## Domain allowed access. -## -## -# - define(`files_watch_usr_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_watch_usr_dirs'($*)) dnl - - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_watch_usr_dirs'($*)) dnl - ') - - -######################################## -## -## Delete generic files in /usr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - delete_files_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_usr_files'($*)) dnl - ') - - -######################################## -## -## Get the attributes of files in /usr. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - getattr_files_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_usr_files'($*)) dnl - ') - - -######################################## -## -## Map generic files in /usr. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_map_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_map_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - allow $1 usr_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_map_usr_files'($*)) dnl - ') - - -######################################## -## -## Read generic files in /usr. -## -## -##

-## Allow the specified domain to read generic -## files in /usr. These files are various program -## files that do not have more specific SELinux types. -## Some examples of these files are: -##

-##
    -##
  • /usr/include/*
    • -##
  • /usr/share/doc/*
    • -##
  • /usr/share/info/*
    • -##
-##

-## Generally, it is safe for many domains to have -## this access. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`files_read_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_usr_files'($*)) dnl - ') - - -######################################## -## -## Execute generic programs in /usr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`files_exec_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_exec_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - allow $1 usr_t:dir list_dir_perms; - exec_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_exec_usr_files'($*)) dnl - ') - - -######################################## -## -## dontaudit write of /usr files -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_write_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - dontaudit $1 usr_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_usr_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files in the /usr directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - manage_files_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_usr_files'($*)) dnl - ') - - -######################################## -## -## Relabel a file to the type used in /usr. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelto_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelto_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - relabelto_files_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelto_usr_files'($*)) dnl - ') - - -######################################## -## -## Relabel a file from the type used in /usr. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabelfrom_usr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabelfrom_usr_files'($*)) dnl - - gen_require(` - type usr_t; - ') - - relabelfrom_files_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabelfrom_usr_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links in /usr. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_usr_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_usr_symlinks'($*)) dnl - - gen_require(` - type usr_t; - ') - - read_lnk_files_pattern($1, usr_t, usr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_usr_symlinks'($*)) dnl - ') - - -######################################## -## -## Create objects in the /usr directory -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_usr_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_usr_filetrans'($*)) dnl - - gen_require(` - type usr_t; - ') - - filetrans_pattern($1, usr_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_usr_filetrans'($*)) dnl - ') - - -######################################## -## -## Search directories in /usr/src. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_src',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_src'($*)) dnl - - gen_require(` - type src_t; - ') - - allow $1 src_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_src'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search /usr/src. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_src',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_src'($*)) dnl - - gen_require(` - type src_t; - ') - - dontaudit $1 src_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_src'($*)) dnl - ') - - -######################################## -## -## Get the attributes of files in /usr/src. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_usr_src_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_usr_src_files'($*)) dnl - - gen_require(` - type usr_t, src_t; - ') - - getattr_files_pattern($1, src_t, src_t) - - # /usr/src/linux symlink: - read_lnk_files_pattern($1, usr_t, src_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_usr_src_files'($*)) dnl - ') - - -######################################## -## -## Read files in /usr/src. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_usr_src_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_usr_src_files'($*)) dnl - - gen_require(` - type usr_t, src_t; - ') - - allow $1 usr_t:dir search_dir_perms; - read_files_pattern($1, { usr_t src_t }, src_t) - read_lnk_files_pattern($1, { usr_t src_t }, src_t) - allow $1 src_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_usr_src_files'($*)) dnl - ') - - -######################################## -## -## Execute programs in /usr/src in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`files_exec_usr_src_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_exec_usr_src_files'($*)) dnl - - gen_require(` - type usr_t, src_t; - ') - - list_dirs_pattern($1, usr_t, src_t) - exec_files_pattern($1, src_t, src_t) - read_lnk_files_pattern($1, src_t, src_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_exec_usr_src_files'($*)) dnl - ') - - -######################################## -## -## Install a system.map into the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_create_kernel_symbol_table',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_kernel_symbol_table'($*)) dnl - - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; - allow $1 system_map_t:file { create_file_perms rw_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_kernel_symbol_table'($*)) dnl - ') - - -######################################## -## -## Read system.map in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_kernel_symbol_table',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_kernel_symbol_table'($*)) dnl - - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir list_dir_perms; - read_files_pattern($1, boot_t, system_map_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_kernel_symbol_table'($*)) dnl - ') - - -######################################## -## -## Delete a system.map in the /boot directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_kernel_symbol_table',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_kernel_symbol_table'($*)) dnl - - gen_require(` - type boot_t, system_map_t; - ') - - allow $1 boot_t:dir list_dir_perms; - delete_files_pattern($1, boot_t, system_map_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_kernel_symbol_table'($*)) dnl - ') - - -######################################## -## -## Search the contents of /var. -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_var',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_var'($*)) dnl - - gen_require(` - type var_t; - ') - - allow $1 var_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_var'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write to /var. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_write_var_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_var_dirs'($*)) dnl - - gen_require(` - type var_t; - ') - - dontaudit $1 var_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_var_dirs'($*)) dnl - ') - - -######################################## -## -## Allow attempts to write to /var.dirs -## -## -## -## Domain allowed access. -## -## -# - define(`files_write_var_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_write_var_dirs'($*)) dnl - - gen_require(` - type var_t; - ') - - allow $1 var_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_write_var_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## the contents of /var. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_var',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_var'($*)) dnl - - gen_require(` - type var_t; - ') - - dontaudit $1 var_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_var'($*)) dnl - ') - - -######################################## -## -## List the contents of /var. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_var',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_var'($*)) dnl - - gen_require(` - type var_t; - ') - - allow $1 var_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_var'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list -## the contents of /var. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_list_var',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_var'($*)) dnl - - gen_require(` - type var_t; - ') - - dontaudit $1 var_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_list_var'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete directories -## in the /var directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_var_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_var_dirs'($*)) dnl - - gen_require(` - type var_t; - ') - - allow $1 var_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_var_dirs'($*)) dnl - ') - - -######################################## -## -## relabelto/from var directories -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_var_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_var_dirs'($*)) dnl - - gen_require(` - type var_t; - ') - - allow $1 var_t:dir { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_var_dirs'($*)) dnl - ') - - -######################################## -## -## Read files in the /var directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_var_files'($*)) dnl - - gen_require(` - type var_t; - ') - - read_files_pattern($1, var_t, var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_var_files'($*)) dnl - ') - - -######################################## -## -## Append files in the /var directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_append_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_append_var_files'($*)) dnl - - gen_require(` - type var_t; - ') - - append_files_pattern($1, var_t, var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_append_var_files'($*)) dnl - ') - - -######################################## -## -## Read and write files in the /var directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_var_files'($*)) dnl - - gen_require(` - type var_t; - ') - - rw_files_pattern($1, var_t, var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_var_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## files in the /var directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_rw_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_var_files'($*)) dnl - - gen_require(` - type var_t; - ') - - dontaudit $1 var_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_var_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files in the /var directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_var_files'($*)) dnl - - gen_require(` - type var_t; - ') - - manage_files_pattern($1, var_t, var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_var_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links in the /var directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_var_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_var_symlinks'($*)) dnl - - gen_require(` - type var_t; - ') - - read_lnk_files_pattern($1, var_t, var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_var_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete symbolic -## links in the /var directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_var_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_var_symlinks'($*)) dnl - - gen_require(` - type var_t; - ') - - manage_lnk_files_pattern($1, var_t, var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_var_symlinks'($*)) dnl - ') - - -######################################## -## -## Create objects in the /var directory -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_var_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_var_filetrans'($*)) dnl - - gen_require(` - type var_t; - ') - - filetrans_pattern($1, var_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_var_filetrans'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the /var/lib directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_var_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_var_lib_dirs'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - getattr_dirs_pattern($1, var_t, var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_var_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Search the /var/lib directory. -## -## -##

-## Search the /var/lib directory. This is -## necessary to access files or directories under -## /var/lib that have a private type. For example, a -## domain accessing a private library file in the -## /var/lib directory: -##

-##

-## allow mydomain_t mylibfile_t:file read_file_perms; -## files_search_var_lib(mydomain_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`files_search_var_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_var_lib'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - search_dirs_pattern($1, var_t, var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_var_lib'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the -## contents of /var/lib. -## -## -## -## Domain to not audit. -## -## -## -# - define(`files_dontaudit_search_var_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_var_lib'($*)) dnl - - gen_require(` - type var_lib_t; - ') - - dontaudit $1 var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_var_lib'($*)) dnl - ') - - -######################################## -## -## List the contents of the /var/lib directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_var_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_var_lib'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - list_dirs_pattern($1, var_t, var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_var_lib'($*)) dnl - ') - - -########################################### -## -## Read-write /var/lib directories -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_var_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_var_lib_dirs'($*)) dnl - - gen_require(` - type var_lib_t; - ') - - rw_dirs_pattern($1, var_lib_t, var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_var_lib_dirs'($*)) dnl - ') - - -######################################## -## -## manage var_lib_t dirs -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_var_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_var_lib_dirs'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lib_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_var_lib_dirs'($*)) dnl - ') - - -######################################## -## -## relabel var_lib_t dirs -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_var_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_var_lib_dirs'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lib_t:dir { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_var_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Create objects in the /var/lib directory -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_var_lib_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_var_lib_filetrans'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_lib_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_var_lib_filetrans'($*)) dnl - ') - - -######################################## -## -## Read generic files in /var/lib. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_var_lib_files'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_lib_t:dir list_dir_perms; - read_files_pattern($1, { var_t var_lib_t }, var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_var_lib_files'($*)) dnl - ') - - -######################################## -## -## Read generic symbolic links in /var/lib -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_var_lib_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_var_lib_symlinks'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_var_lib_symlinks'($*)) dnl - ') - - -# cjp: the next two interfaces really need to be fixed -# in some way. They really neeed their own types. - -######################################## -## -## Create, read, write, and delete the -## pseudorandom number generator seed. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_urandom_seed',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_urandom_seed'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_urandom_seed'($*)) dnl - ') - - -######################################## -## -## Allow domain to manage mount tables -## necessary for rpcd, nfsd, etc. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_mounttab',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_mounttab'($*)) dnl - - gen_require(` - type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_mounttab'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the generic lock directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_setattr_lock_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_setattr_lock_dirs'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - setattr_dirs_pattern($1, var_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_setattr_lock_dirs'($*)) dnl - ') - - -######################################## -## -## Search the locks directory (/var/lock). -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_locks'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_locks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the -## locks directory (/var/lock). -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_locks'($*)) dnl - - gen_require(` - type var_lock_t; - ') - - dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_lock_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_locks'($*)) dnl - ') - - -######################################## -## -## List generic lock directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_locks'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_locks'($*)) dnl - ') - - -######################################## -## -## Test write access on lock directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_check_write_lock_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_check_write_lock_dirs'($*)) dnl - - gen_require(` - type var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 var_lock_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_check_write_lock_dirs'($*)) dnl - ') - - -######################################## -## -## Add entries in the /var/lock directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_add_entry_lock_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_add_entry_lock_dirs'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - add_entry_dirs_pattern($1, var_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_add_entry_lock_dirs'($*)) dnl - ') - - -######################################## -## -## Add and remove entries in the /var/lock -## directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_lock_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_lock_dirs'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - rw_dirs_pattern($1, var_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_lock_dirs'($*)) dnl - ') - - -######################################## -## -## Create lock directories -## -## -## -## Domain allowed access -## -## -# - define(`files_create_lock_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_lock_dirs'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_lock_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_lock_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to and from all lock directory types. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_relabel_all_lock_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_lock_dirs'($*)) dnl - - gen_require(` - attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($1, lockfile, lockfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_lock_dirs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of generic lock files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_getattr_generic_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_getattr_generic_locks'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_getattr_generic_locks'($*)) dnl - ') - - -######################################## -## -## Delete generic lock files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_generic_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_generic_locks'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - delete_files_pattern($1, var_lock_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_generic_locks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete generic -## lock files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_generic_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_generic_locks'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - manage_dirs_pattern($1, var_lock_t, var_lock_t) - manage_files_pattern($1, var_lock_t, var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_generic_locks'($*)) dnl - ') - - -######################################## -## -## Delete all lock files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_delete_all_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_all_locks'($*)) dnl - - gen_require(` - attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - delete_files_pattern($1, lockfile, lockfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_all_locks'($*)) dnl - ') - - -######################################## -## -## Read all lock files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_all_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_locks'($*)) dnl - - gen_require(` - attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 { var_t var_lock_t }:dir search_dir_perms; - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_locks'($*)) dnl - ') - - -######################################## -## -## manage all lock files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_all_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_all_locks'($*)) dnl - - gen_require(` - attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 { var_t var_lock_t }:dir search_dir_perms; - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_all_locks'($*)) dnl - ') - - -######################################## -## -## Relabel from/to all lock files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_all_locks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_locks'($*)) dnl - - gen_require(` - attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 { var_t var_lock_t }:dir search_dir_perms; - relabel_dirs_pattern($1, lockfile, lockfile) - relabel_files_pattern($1, lockfile, lockfile) - relabel_lnk_files_pattern($1, lockfile, lockfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_locks'($*)) dnl - ') - - -######################################## -## -## Create an object in the locks directory, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_lock_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_lock_filetrans'($*)) dnl - - gen_require(` - type var_t, var_lock_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_lock_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_lock_filetrans'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of the /var/run directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_pid_dirs'($*)) dnl - - gen_require(` - type var_run_t; - ') - - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_run_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_pid_dirs'($*)) dnl - ') - - -######################################## -## -## mounton a /var/run directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_pid_dirs'($*)) dnl - - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the /var/run directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_setattr_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_setattr_pid_dirs'($*)) dnl - - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_setattr_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Search the contents of runtime process -## ID directories (/var/run). -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_pids'($*)) dnl - - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_pids'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## the /var/run directory. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_pids'($*)) dnl - - gen_require(` - type var_run_t; - ') - - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_run_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_pids'($*)) dnl - ') - - -######################################## -## -## List the contents of the runtime process -## ID directories (/var/run). -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_pids'($*)) dnl - - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_pids'($*)) dnl - ') - - -######################################## -## -## Check write access on /var/run directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_check_write_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_check_write_pid_dirs'($*)) dnl - - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_check_write_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Create a /var/run directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_create_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_pid_dirs'($*)) dnl - - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Watch /var/run directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_watch_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_watch_runtime_dirs'($*)) dnl - - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_watch_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Read generic process ID files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_generic_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_generic_pids'($*)) dnl - - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_generic_pids'($*)) dnl - ') - - -######################################## -## -## Write named generic process ID pipes -## -## -## -## Domain allowed access. -## -## -# - define(`files_write_generic_pid_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_write_generic_pid_pipes'($*)) dnl - - gen_require(` - type var_run_t; - ') - - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_write_generic_pid_pipes'($*)) dnl - ') - - -######################################## -## -## Create an object in the process ID directory, with a private type. -## -## -##

-## Create an object in the process ID directory (e.g., /var/run) -## with a private type. Typically this is used for creating -## private PID files in /var/run with the private type instead -## of the general PID file type. To accomplish this goal, -## either the program must be SELinux-aware, or use this interface. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_pid_file()
    • -##
-##

-## Example usage with a domain that can create and -## write its PID file with a private PID file type in the -## /var/run directory: -##

-##

-## type mypidfile_t; -## files_pid_file(mypidfile_t) -## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; -## files_pid_filetrans(mydomain_t, mypidfile_t, file) -##

-## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -## -# - define(`files_pid_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_pid_filetrans'($*)) dnl - - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_pid_filetrans'($*)) dnl - ') - - -######################################## -## -## Create a generic lock directory within the run directories -## -## -## -## Domain allowed access -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_pid_filetrans_lock_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_pid_filetrans_lock_dir'($*)) dnl - - gen_require(` - type var_lock_t; - ') - - files_pid_filetrans($1, var_lock_t, dir, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_pid_filetrans_lock_dir'($*)) dnl - ') - - -######################################## -## -## Read and write generic process ID files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_rw_generic_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_rw_generic_pids'($*)) dnl - - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_rw_generic_pids'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## daemon runtime data files. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_getattr_all_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_pids'($*)) dnl - - gen_require(` - attribute pidfile; - type var_run_t; - ') - - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_pids'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write to daemon runtime data files. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_write_all_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_pids'($*)) dnl - - gen_require(` - attribute pidfile; - type var_run_t; - ') - - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_pids'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to ioctl daemon runtime data files. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_ioctl_all_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_ioctl_all_pids'($*)) dnl - - gen_require(` - attribute pidfile; - type var_run_t; - ') - - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file ioctl; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_ioctl_all_pids'($*)) dnl - ') - - -######################################## -## -## manage all pidfile directories -## in the /var/run directory. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_all_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_all_pid_dirs'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - manage_dirs_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_all_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Read all process ID files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_read_all_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_all_pids'($*)) dnl - - gen_require(` - attribute pidfile; - type var_t, var_run_t; - ') - - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_all_pids'($*)) dnl - ') - - -######################################## -## -## Execute generic programs in /var/run in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`files_exec_generic_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_exec_generic_pid_files'($*)) dnl - - gen_require(` - type var_run_t; - ') - - exec_files_pattern($1, var_run_t, var_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_exec_generic_pid_files'($*)) dnl - ') - - -######################################## -## -## Relable all pid files -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_all_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_pid_files'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - relabel_files_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_pid_files'($*)) dnl - ') - - -######################################## -## -## Delete all process IDs. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_delete_all_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_all_pids'($*)) dnl - - gen_require(` - attribute pidfile; - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) - delete_fifo_files_pattern($1, pidfile, pidfile) - delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_all_pids'($*)) dnl - ') - - -######################################## -## -## Create all pid sockets -## -## -## -## Domain allowed access. -## -## -# - define(`files_create_all_pid_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_all_pid_sockets'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - allow $1 pidfile:sock_file create_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_all_pid_sockets'($*)) dnl - ') - - -######################################## -## -## Create all pid named pipes -## -## -## -## Domain allowed access. -## -## -# - define(`files_create_all_pid_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_all_pid_pipes'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - allow $1 pidfile:fifo_file create_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_all_pid_pipes'($*)) dnl - ') - - -######################################## -## -## Create all spool sockets -## -## -## -## Domain allowed access. -## -## -# - define(`files_create_all_spool_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_create_all_spool_sockets'($*)) dnl - - gen_require(` - attribute spoolfile; - ') - - allow $1 spoolfile:sock_file create_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_create_all_spool_sockets'($*)) dnl - ') - - -######################################## -## -## Delete all spool sockets -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_all_spool_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_all_spool_sockets'($*)) dnl - - gen_require(` - attribute spoolfile; - ') - - allow $1 spoolfile:sock_file delete_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_all_spool_sockets'($*)) dnl - ') - - -######################################## -## -## Delete all process ID directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_delete_all_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_delete_all_pid_dirs'($*)) dnl - - gen_require(` - attribute pidfile; - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_delete_all_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write and delete all -## var_run (pid) content -## -## -## -## Domain alloed access. -## -## -# - define(`files_manage_all_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_all_pids'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - manage_dirs_pattern($1, pidfile, pidfile) - manage_files_pattern($1, pidfile, pidfile) - manage_lnk_files_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_all_pids'($*)) dnl - ') - - -######################################## -## -## Relabel to/from all var_run (pid) directories -## -## -## -## Domain alloed access. -## -## -# - define(`files_relabel_all_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_pid_dirs'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - relabel_dirs_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to/from all var_run (pid) socket files -## -## -## -## Domain alloed access. -## -## -# - define(`files_relabel_all_pid_sock_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_pid_sock_files'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - relabel_sock_files_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_pid_sock_files'($*)) dnl - ') - - -######################################## -## -## Relabel to/from all var_run (pid) files and directories -## -## -## -## Domain alloed access. -## -## -# - define(`files_relabel_all_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_pids'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - relabel_dirs_pattern($1, pidfile, pidfile) - relabel_files_pattern($1, pidfile, pidfile) - relabel_lnk_files_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_pids'($*)) dnl - ') - - -######################################## -## -## Mount filesystems on all polyinstantiation -## member directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_mounton_all_poly_members',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_mounton_all_poly_members'($*)) dnl - - gen_require(` - attribute polymember; - ') - - allow $1 polymember:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_mounton_all_poly_members'($*)) dnl - ') - - -######################################## -## -## Search the contents of generic spool -## directories (/var/spool). -## -## -## -## Domain allowed access. -## -## -# - define(`files_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_search_spool'($*)) dnl - - gen_require(` - type var_t, var_spool_t; - ') - - search_dirs_pattern($1, var_t, var_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_search_spool'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search generic -## spool directories. -## -## -## -## Domain to not audit. -## -## -# - define(`files_dontaudit_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_spool'($*)) dnl - - gen_require(` - type var_spool_t; - ') - - dontaudit $1 var_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_search_spool'($*)) dnl - ') - - -######################################## -## -## List the contents of generic spool -## (/var/spool) directories. -## -## -## -## Domain allowed access. -## -## -# - define(`files_list_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_spool'($*)) dnl - - gen_require(` - type var_t, var_spool_t; - ') - - list_dirs_pattern($1, var_t, var_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_spool'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete generic -## spool directories (/var/spool). -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_generic_spool_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_generic_spool_dirs'($*)) dnl - - gen_require(` - type var_t, var_spool_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_dirs_pattern($1, var_spool_t, var_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_generic_spool_dirs'($*)) dnl - ') - - -######################################## -## -## Read generic spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_read_generic_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_generic_spool'($*)) dnl - - gen_require(` - type var_t, var_spool_t; - ') - - list_dirs_pattern($1, var_t, var_spool_t) - read_files_pattern($1, var_spool_t, var_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_generic_spool'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete generic -## spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_manage_generic_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_generic_spool'($*)) dnl - - gen_require(` - type var_t, var_spool_t; - ') - - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_spool_t, var_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_generic_spool'($*)) dnl - ') - - -######################################## -## -## Create objects in the spool directory -## with a private type with a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Type to which the created node will be transitioned. -## -## -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## -## -## -## The name of the object being created. -## -## -# - define(`files_spool_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_spool_filetrans'($*)) dnl - - gen_require(` - type var_t, var_spool_t; - ') - - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_spool_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_spool_filetrans'($*)) dnl - ') - - -######################################## -## -## Allow access to manage all polyinstantiated -## directories on the system. -## -## -## -## Domain allowed access. -## -## -# - define(`files_polyinstantiate_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_polyinstantiate_all'($*)) dnl - - gen_require(` - attribute polydir, polymember, polyparent; - type poly_t; - ') - - # Need to give access to /selinux/member - selinux_compute_member($1) - - # Need sys_admin capability for mounting - allow $1 self:capability { chown fowner fsetid sys_admin }; - - # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; - - # Need to give access to the polyinstantiated subdirectories - allow $1 polymember:dir search_dir_perms; - - # Need to give access to parent directories where original - # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; - - # Need to give permission to create directories where applicable - allow $1 self:process setfscreate; - allow $1 polymember: dir { create setattr relabelto }; - allow $1 polydir: dir { write add_name open }; - allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; - - # Default type for mountpoints - allow $1 poly_t:dir { create mounton }; - fs_unmount_xattr_fs($1) - - fs_mount_tmpfs($1) - fs_unmount_tmpfs($1) - - ifdef(`distro_redhat',` - # namespace.init - files_search_tmp($1) - files_search_home($1) - corecmd_exec_bin($1) - seutil_domtrans_setfiles($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_polyinstantiate_all'($*)) dnl - ') - - -######################################## -## -## Unconfined access to files. -## -## -## -## Domain allowed access. -## -## -# - define(`files_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_unconfined'($*)) dnl - - gen_require(` - attribute files_unconfined_type; - ') - - typeattribute $1 files_unconfined_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_unconfined'($*)) dnl - ') - - -# should be in an ifdef distro_gentoo but cannot do so for interfaces - -######################################## -## -## Create, read, write, and delete symbolic links in -## /etc that are dynamically created on boot. -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_etc_runtime_lnk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_etc_runtime_lnk_files'($*)) dnl - - gen_require(` - type etc_t, etc_runtime_t; - ') - - manage_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_etc_runtime_lnk_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read etc_runtime resources -## -## -## -## Domain allowed access. -## -## -# - define(`files_dontaudit_read_etc_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_etc_runtime'($*)) dnl - - gen_require(` - type etc_runtime_t; - ') - - dontaudit $1 etc_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_dontaudit_read_etc_runtime'($*)) dnl - ') - - -######################################### -## -## List usr/src files -## -## -## -## Domain allowed access -## -## -# - define(`files_list_src',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_list_src'($*)) dnl - - gen_require(` - type src_t; - ') - - list_dirs_pattern($1, src_t, src_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_list_src'($*)) dnl - ') - - -######################################### -## -## Read usr/src files -## -## -## -## Domain allowed access -## -## -# - define(`files_read_src_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_src_files'($*)) dnl - - gen_require(` - type src_t; - ') - - read_files_pattern($1, src_t, src_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_src_files'($*)) dnl - ') - - -######################################### -## -## Manage /usr/src files -## -## -## -## Domain allowed access -## -## -# - define(`files_manage_src_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_src_files'($*)) dnl - - gen_require(` - type src_t; - ') - - manage_files_pattern($1, src_t, src_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_src_files'($*)) dnl - ') - - - -########################################## -## -## Create a resource in the generic lib location -## with an automatic type transition towards the kernel modules -## type -## -## -## -## Domain allowed access -## -## -## -## -## Class of the created resource for which a type transition should occur -## -## -## -## -## Optional name of the resource -## -## -# - define(`files_lib_filetrans_kernel_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_lib_filetrans_kernel_modules'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - libs_lib_filetrans($1, modules_object_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_lib_filetrans_kernel_modules'($*)) dnl - ') - - -######################################### -## -## Read etc runtime resources -## -## -## -## Domain allowed access -## -## -# - define(`files_read_etc_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_read_etc_runtime'($*)) dnl - - gen_require(` - type etc_runtime_t; - type etc_t; - ') - - list_dirs_pattern($1, etc_t, etc_runtime_t) - read_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) - read_lnk_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_read_etc_runtime'($*)) dnl - ') - - -######################################## -## -## Allow relabel from and to non-security types -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_relabel_all_non_security_file_types',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_non_security_file_types'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - allow $1 non_security_file_type:dir list_dir_perms; - - relabel_dirs_pattern($1, non_security_file_type, non_security_file_type) - relabel_files_pattern($1, non_security_file_type, non_security_file_type) - relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type) - relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type) - relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type) - - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern($1, non_security_file_type, non_security_file_type) - relabelfrom_chr_files_pattern($1, non_security_file_type, non_security_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_non_security_file_types'($*)) dnl - ') - - -######################################## -## -## Manage non-security-sensitive resource types -## -## -## -## Domain allowed access. -## -## -## -# - define(`files_manage_all_non_security_file_types',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_manage_all_non_security_file_types'($*)) dnl - - gen_require(` - attribute non_security_file_type; - ') - - manage_dirs_pattern($1, non_security_file_type, non_security_file_type) - manage_files_pattern($1, non_security_file_type, non_security_file_type) - manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) - manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type) - manage_sock_files_pattern($1, non_security_file_type, non_security_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_manage_all_non_security_file_types'($*)) dnl - ') - - -######################################### -## -## Allow relabeling from and to any pidfile associated type -## -## -## -## Domain allowed access. -## -## -# - define(`files_relabel_all_pidfiles',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `files_relabel_all_pidfiles'($*)) dnl - - gen_require(` - attribute pidfile; - ') - - allow $1 pidfile:dir list_dir_perms; - - relabel_dirs_pattern($1, pidfile, pidfile) - relabel_files_pattern($1, pidfile, pidfile) - relabel_lnk_files_pattern($1, pidfile, pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `files_relabel_all_pidfiles'($*)) dnl - ') - -## User-based access control policy -## -## Contains attributes used in UBAC policy. -## - -######################################## -## -## Constrain by user-based access control (UBAC). -## -## -##

-## Constrain the specified type by user-based -## access control (UBAC). Typically, these are -## user processes or user files that need to be -## differentiated by SELinux user. Normally this -## does not include administrative or privileged -## programs. For the UBAC rules to be enforced, -## both the subject (source) type and the object -## (target) types must be UBAC constrained. -##

-## -## -## -## Type to be constrained by UBAC. -## -## -## -# - define(`ubac_constrained',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_constrained'($*)) dnl - - gen_require(` - attribute ubac_constrained_type; - ') - - typeattribute $1 ubac_constrained_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_constrained'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for files. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_file_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_file_exempt'($*)) dnl - - gen_require(` - attribute ubacfile; - ') - - typeattribute $1 ubacfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_file_exempt'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for processes. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_process_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_process_exempt'($*)) dnl - - gen_require(` - attribute ubacproc; - ') - - typeattribute $1 ubacproc; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_process_exempt'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for file descriptors. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_fd_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_fd_exempt'($*)) dnl - - gen_require(` - attribute ubacfd; - ') - - typeattribute $1 ubacfd; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_fd_exempt'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for sockets. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_socket_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_socket_exempt'($*)) dnl - - gen_require(` - attribute ubacsock; - ') - - typeattribute $1 ubacsock; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_socket_exempt'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for SysV IPC. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_sysvipc_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_sysvipc_exempt'($*)) dnl - - gen_require(` - attribute ubacipc; - ') - - typeattribute $1 ubacipc; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_sysvipc_exempt'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for X Windows. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_xwin_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_xwin_exempt'($*)) dnl - - gen_require(` - attribute ubacxwin; - ') - - typeattribute $1 ubacxwin; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_xwin_exempt'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for dbus. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_dbus_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_dbus_exempt'($*)) dnl - - gen_require(` - attribute ubacdbus; - ') - - typeattribute $1 ubacdbus; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_dbus_exempt'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for keys. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_key_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_key_exempt'($*)) dnl - - gen_require(` - attribute ubackey; - ') - - typeattribute $1 ubackey; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_key_exempt'($*)) dnl - ') - - -######################################## -## -## Exempt user-based access control for databases. -## -## -## -## Domain to be exempted. -## -## -# - define(`ubac_db_exempt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ubac_db_exempt'($*)) dnl - - gen_require(` - attribute ubacdb; - ') - - typeattribute $1 ubacdb; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ubac_db_exempt'($*)) dnl - ') - -## -## Policy for kernel security interface, in particular, selinuxfs. -## -## -## Contains the policy for the kernel SELinux security interface. -## - -######################################## -## -## Make the specified type used for labeling SELinux Booleans. -## This interface is only usable in the base module. -## -## -##

-## Make the specified type used for labeling SELinux Booleans. -##

-##

-## This makes use of genfscon statements, which are only -## available in the base module. Thus any module which calls this -## interface must be included in the base module. -##

-## -## -## -## Type used for labeling a Boolean. -## -## -## -## -## Name of the Boolean. -## -## -# - define(`selinux_labeled_boolean',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_labeled_boolean'($*)) dnl - - gen_require(` - attribute boolean_type; - ') - - typeattribute $1 boolean_type; - - # because of this statement, any module which - # calls this interface must be in the base module: - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_labeled_boolean'($*)) dnl - ') - - -######################################## -## -## Get the mountpoint of the selinuxfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_get_fs_mount',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_get_fs_mount'($*)) dnl - - gen_require(` - type security_t; - ') - - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs - allow $1 security_t:filesystem getattr; - - # Same for /sys/fs/selinux - dev_getattr_sysfs($1) - dev_search_sysfs($1) - - # read /proc/filesystems to see if selinuxfs is supported - # then read /proc/self/mount to see where selinuxfs is mounted - kernel_read_system_state($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_get_fs_mount'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the mountpoint -## of the selinuxfs filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`selinux_dontaudit_get_fs_mount',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_get_fs_mount'($*)) dnl - - gen_require(` - type security_t; - ') - - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs - dontaudit $1 security_t:filesystem getattr; - - # Same for /sys/fs/selinux - dev_dontaudit_getattr_sysfs($1) - dev_dontaudit_search_sysfs($1) - - # read /proc/filesystems to see if selinuxfs is supported - # then read /proc/self/mount to see where selinuxfs is mounted - kernel_dontaudit_read_system_state($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_dontaudit_get_fs_mount'($*)) dnl - ') - - -######################################## -## -## Mount the selinuxfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_mount_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_mount_fs'($*)) dnl - - gen_require(` - type security_t; - ') - - allow $1 security_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_mount_fs'($*)) dnl - ') - - -######################################## -## -## Remount the selinuxfs filesystem. -## This allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_remount_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_remount_fs'($*)) dnl - - gen_require(` - type security_t; - ') - - allow $1 security_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_remount_fs'($*)) dnl - ') - - -######################################## -## -## Unmount the selinuxfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_unmount_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_unmount_fs'($*)) dnl - - gen_require(` - type security_t; - ') - - allow $1 security_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_unmount_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the selinuxfs filesystem -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_getattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_getattr_fs'($*)) dnl - - gen_require(` - type security_t; - ') - - allow $1 security_t:filesystem getattr; - - dev_getattr_sysfs($1) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_getattr_fs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## attributes of the selinuxfs filesystem -## -## -## -## Domain to not audit. -## -## -# - define(`selinux_dontaudit_getattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_getattr_fs'($*)) dnl - - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:filesystem getattr; - - dev_dontaudit_getattr_sysfs($1) - dev_dontaudit_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_dontaudit_getattr_fs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## attributes of the selinuxfs directory. -## -## -## -## Domain to not audit. -## -## -# - define(`selinux_dontaudit_getattr_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_getattr_dir'($*)) dnl - - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_dontaudit_getattr_dir'($*)) dnl - ') - - -######################################## -## -## Search selinuxfs. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_search_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_search_fs'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_search_fs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search selinuxfs. -## -## -## -## Domain to not audit. -## -## -# - define(`selinux_dontaudit_search_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_search_fs'($*)) dnl - - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_dontaudit_search_fs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read -## generic selinuxfs entries -## -## -## -## Domain to not audit. -## -## -# - define(`selinux_dontaudit_read_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_read_fs'($*)) dnl - - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_dontaudit_read_fs'($*)) dnl - ') - - -######################################## -## -## Allows the caller to get the mode of policy enforcement -## (enforcing or permissive mode). -## -## -## -## Domain allowed access. -## -## -## -# - define(`selinux_get_enforce_mode',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_get_enforce_mode'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_get_enforce_mode'($*)) dnl - ') - - -######################################## -## -## Allow caller to set the mode of policy enforcement -## (enforcing or permissive mode). -## -## -##

-## Allow caller to set the mode of policy enforcement -## (enforcing or permissive mode). -##

-##

-## Since this is a security event, this action is -## always audited. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`selinux_set_enforce_mode',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_set_enforce_mode'($*)) dnl - - gen_require(` - attribute can_setenforce; - ') - - typeattribute $1 can_setenforce; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_set_enforce_mode'($*)) dnl - ') - - -######################################## -## -## Allow caller to load the policy into the kernel. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_load_policy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_load_policy'($*)) dnl - - gen_require(` - attribute can_load_policy; - ') - - typeattribute $1 can_load_policy; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_load_policy'($*)) dnl - ') - - -######################################## -## -## Allow caller to read the policy from the kernel. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_read_policy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_read_policy'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; - allow $1 security_t:security read_policy; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_read_policy'($*)) dnl - ') - - -######################################## -## -## Allow caller to set the state of generic Booleans to -## enable or disable conditional portions of the policy. -## -## -##

-## Allow caller to set the state of generic Booleans to -## enable or disable conditional portions of the policy. -##

-##

-## Since this is a security event, this action is -## always audited. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`selinux_set_generic_booleans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_set_generic_booleans'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - - allow $1 security_t:security setbool; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_set_generic_booleans'($*)) dnl - ') - - -######################################## -## -## Allow caller to set the state of all Booleans to -## enable or disable conditional portions of the policy. -## -## -##

-## Allow caller to set the state of all Booleans to -## enable or disable conditional portions of the policy. -##

-##

-## Since this is a security event, this action is -## always audited. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`selinux_set_all_booleans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_set_all_booleans'($*)) dnl - - gen_require(` - type security_t, secure_mode_policyload_t; - attribute boolean_type; - bool secure_mode_policyload; - ') - - dev_search_sysfs($1) - - allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; - allow $1 secure_mode_policyload_t:file read_file_perms; - - allow $1 security_t:security setbool; - - if(!secure_mode_policyload) { - allow $1 secure_mode_policyload_t:file write_file_perms; - } - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_set_all_booleans'($*)) dnl - ') - - -######################################## -## -## Allow caller to set SELinux access vector cache parameters. -## -## -##

-## Allow caller to set SELinux access vector cache parameters. -## The allows the domain to set performance related parameters -## of the AVC, such as cache threshold. -##

-##

-## Since this is a security event, this action is -## always audited. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`selinux_set_parameters',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_set_parameters'($*)) dnl - - gen_require(` - attribute can_setsecparam; - ') - - typeattribute $1 can_setsecparam; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_set_parameters'($*)) dnl - ') - - -######################################## -## -## Allows caller to validate security contexts. -## -## -## -## Domain allowed access. -## -## -## -# - define(`selinux_validate_context',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_validate_context'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security check_context; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_validate_context'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to validate security contexts. -## -## -## -## Domain to not audit. -## -## -## -# - define(`selinux_dontaudit_validate_context',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_validate_context'($*)) dnl - - gen_require(` - type security_t; - ') - - dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; - dontaudit $1 security_t:security check_context; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_dontaudit_validate_context'($*)) dnl - ') - - -######################################## -## -## Allows caller to compute an access vector. -## -## -## -## Domain allowed access. -## -## -## -# - define(`selinux_compute_access_vector',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_compute_access_vector'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 self:netlink_selinux_socket create_socket_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_av; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_compute_access_vector'($*)) dnl - ') - - -######################################## -## -## Calculate the default type for object creation. -## -## -## -## Domain allowed access. -## -## -## -# - define(`selinux_compute_create_context',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_compute_create_context'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_create; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_compute_create_context'($*)) dnl - ') - - -######################################## -## -## Allows caller to compute polyinstatntiated -## directory members. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_compute_member',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_compute_member'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_member; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_compute_member'($*)) dnl - ') - - -######################################## -## -## Calculate the context for relabeling objects. -## -## -##

-## Calculate the context for relabeling objects. -## This is determined by using the type_change -## rules in the policy, and is generally used -## for determining the context for relabeling -## a terminal when a user logs in. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`selinux_compute_relabel_context',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_compute_relabel_context'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_relabel; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_compute_relabel_context'($*)) dnl - ') - - -######################################## -## -## Allows caller to compute possible contexts for a user. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_compute_user_contexts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_compute_user_contexts'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_user; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_compute_user_contexts'($*)) dnl - ') - - -######################################## -## -## Allows caller to map secuirty_t files. -## -## -## -## Domain allowed access. -## -## -# - - define(`selinux_map_security_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_map_security_files'($*)) dnl - - gen_require(` - type security_t; - ') - - dev_search_sysfs($1) - allow $1 security_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_map_security_files'($*)) dnl - ') - - -######################################## -## -## Unconfined access to the SELinux kernel security server. -## -## -## -## Domain allowed access. -## -## -# - define(`selinux_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `selinux_unconfined'($*)) dnl - - gen_require(` - attribute selinux_unconfined_type; - ') - - typeattribute $1 selinux_unconfined_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `selinux_unconfined'($*)) dnl - ') - -## -## Device nodes and interfaces for many basic system devices. -## -## -##

-## This module creates the device node concept and provides -## the policy for many of the device files. Notable exceptions are -## the mass storage and terminal devices that are covered by other -## modules. -##

-##

-## This module creates the concept of a device node. That is a -## char or block device file, usually in /dev. All types that -## are used to label device nodes should use the dev_node macro. -##

-##

-## Additionally, this module controls access to three things: -##

    -##
  • the device directories containing device nodes
    • -##
  • device nodes as a group
    • -##
  • individual access to specific device nodes covered by -## this module.
    • -##
-##

-## -## -## Depended on by other required modules. -## - -######################################## -## -## Make the specified type usable for device -## nodes in a filesystem. -## -## -##

-## Make the specified type usable for device nodes -## in a filesystem. Types used for device nodes that -## do not use this interface, or an interface that -## calls this one, will have unexpected behaviors -## while the system is running. -##

-##

-## Example: -##

-##

-## type mydev_t; -## dev_node(mydev_t) -## allow mydomain_t mydev_t:chr_file read_chr_file_perms; -##

-##

-## Related interfaces: -##

-##
    -##
  • term_tty()
    • -##
  • term_pty()
    • -##
-## -## -## -## Type to be used for device nodes. -## -## -## -# - define(`dev_node',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_node'($*)) dnl - - gen_require(` - attribute device_node; - ') - - typeattribute $1 device_node; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_node'($*)) dnl - ') - - -######################################## -## -## Associate the specified file type with device filesystem. -## -## -## -## The type of the file to be associated. -## -## -# - define(`dev_associate',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_associate'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:filesystem associate; - fs_associate_tmpfs($1) #For backwards compatibility - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_associate'($*)) dnl - ') - - -######################################## -## -## Get attributes of device filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_fs'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_fs'($*)) dnl - ') - - -######################################## -## -## Watch the directories in /dev. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_watch_dev_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_watch_dev_dirs'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_watch_dev_dirs'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on /dev -## -## -## -## Domain allow access. -## -## -# - define(`dev_mounton',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_mounton'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_mounton'($*)) dnl - ') - - -######################################## -## -## Allow full relabeling (to and from) of all device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_relabel_all_dev_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_all_dev_nodes'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - relabelfrom_dirs_pattern($1, device_t, { device_t device_node }) - relabelfrom_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_sock_files_pattern($1, device_t, { device_t device_node }) - relabel_blk_files_pattern($1, device_t, { device_t device_node }) - relabel_chr_files_pattern($1, device_t, { device_t device_node }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_all_dev_nodes'($*)) dnl - ') - - -######################################## -## -## Allow full relabeling (to and from) of all device files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_relabel_all_dev_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_all_dev_files'($*)) dnl - - gen_require(` - type device_t; - ') - - relabel_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_all_dev_files'($*)) dnl - ') - - -######################################## -## -## List all of the device nodes in a device directory. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_list_all_dev_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_list_all_dev_nodes'($*)) dnl - - gen_require(` - type device_t; - ') - - list_dirs_pattern($1, device_t, device_t) - read_lnk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_list_all_dev_nodes'($*)) dnl - ') - - -######################################## -## -## Set the attributes of /dev directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_generic_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_dirs'($*)) dnl - - gen_require(` - type device_t; - ') - - setattr_dirs_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_generic_dirs'($*)) dnl - ') - - -######################################## -## -## Dontaudit attempts to list all device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_list_all_dev_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_list_all_dev_nodes'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_list_all_dev_nodes'($*)) dnl - ') - - -######################################## -## -## Add entries to directories in /dev. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_add_entry_generic_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_add_entry_generic_dirs'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:dir add_entry_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_add_entry_generic_dirs'($*)) dnl - ') - - -######################################## -## -## Remove entries from directories in /dev. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_remove_entry_generic_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_remove_entry_generic_dirs'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:dir del_entry_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_remove_entry_generic_dirs'($*)) dnl - ') - - -######################################## -## -## Create a directory in the device directory. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_generic_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_generic_dirs'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:dir list_dir_perms; - create_dirs_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_generic_dirs'($*)) dnl - ') - - -######################################## -## -## Delete a directory in the device directory. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_generic_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_generic_dirs'($*)) dnl - - gen_require(` - type device_t; - ') - - delete_dirs_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_generic_dirs'($*)) dnl - ') - - -######################################## -## -## Manage of directories in /dev. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_generic_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_generic_dirs'($*)) dnl - - gen_require(` - type device_t; - ') - - manage_dirs_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_generic_dirs'($*)) dnl - ') - - -######################################## -## -## Allow full relabeling (to and from) of directories in /dev. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabel_generic_dev_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_dev_dirs'($*)) dnl - - gen_require(` - type device_t; - ') - - relabel_dirs_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_generic_dev_dirs'($*)) dnl - ') - - -######################################## -## -## dontaudit getattr generic files in /dev. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_generic_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_files'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_files'($*)) dnl - ') - - -######################################## -## -## Read generic files in /dev. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_read_generic_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_generic_files'($*)) dnl - - gen_require(` - type device_t; - ') - - read_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_generic_files'($*)) dnl - ') - - -######################################## -## -## Read and write generic files in /dev. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_generic_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_generic_files'($*)) dnl - - gen_require(` - type device_t; - ') - - rw_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_generic_files'($*)) dnl - ') - - -######################################## -## -## Delete generic files in /dev. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_generic_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_generic_files'($*)) dnl - - gen_require(` - type device_t; - ') - - delete_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_generic_files'($*)) dnl - ') - - -######################################## -## -## Create a file in the device directory. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_generic_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_generic_files'($*)) dnl - - gen_require(` - type device_t; - ') - - manage_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_generic_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit getattr on generic pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_generic_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_pipes'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_pipes'($*)) dnl - ') - - -######################################## -## -## Write generic socket files in /dev. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_write_generic_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_generic_sockets'($*)) dnl - - gen_require(` - type device_t; - ') - - write_sock_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_generic_sockets'($*)) dnl - ') - - -######################################## -## -## Allow getattr on generic block devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_generic_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_blk_files'($*)) dnl - - gen_require(` - type device_t; - ') - - getattr_blk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_generic_blk_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit getattr on generic block devices. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_generic_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_blk_files'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:blk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_blk_files'($*)) dnl - ') - - -######################################## -## -## Set the attributes on generic -## block devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_generic_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_blk_files'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:blk_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_generic_blk_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit setattr on generic block devices. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_generic_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_blk_files'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:blk_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_blk_files'($*)) dnl - ') - - -######################################## -## -## Create generic block device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_generic_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_generic_blk_files'($*)) dnl - - gen_require(` - type device_t; - ') - - create_blk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_generic_blk_files'($*)) dnl - ') - - -######################################## -## -## Delete generic block device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_generic_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_generic_blk_files'($*)) dnl - - gen_require(` - type device_t; - ') - - delete_blk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_generic_blk_files'($*)) dnl - ') - - -######################################## -## -## Allow getattr for generic character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - getattr_chr_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit getattr for generic character device files. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Set the attributes for generic -## character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit setattr for generic character device files. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Read generic character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:chr_file read_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Read and write generic character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Read and write generic block device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_generic_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_generic_blk_files'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:blk_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_generic_blk_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit attempts to read/write generic character device files. -## -## -## -## Domain to dontaudit access. -## -## -# - define(`dev_dontaudit_rw_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Create generic character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - create_chr_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Delete generic character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - delete_chr_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Relabel from generic character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabelfrom_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabelfrom_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:chr_file relabelfrom_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabelfrom_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes -## of symbolic links in device directories (/dev). -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_generic_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_symlinks'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:lnk_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_symlinks'($*)) dnl - ') - - -######################################## -## -## Read symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_generic_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_generic_symlinks'($*)) dnl - - gen_require(` - type device_t; - ') - - allow $1 device_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_generic_symlinks'($*)) dnl - ') - - -######################################## -## -## Create symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_generic_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_generic_symlinks'($*)) dnl - - gen_require(` - type device_t; - ') - - create_lnk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_generic_symlinks'($*)) dnl - ') - - -######################################## -## -## Delete symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_generic_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_generic_symlinks'($*)) dnl - - gen_require(` - type device_t; - ') - - delete_lnk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_generic_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, delete, read, and write symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_generic_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_generic_symlinks'($*)) dnl - - gen_require(` - type device_t; - ') - - manage_lnk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_generic_symlinks'($*)) dnl - ') - - -######################################## -## -## Relabel symbolic links in device directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabel_generic_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_symlinks'($*)) dnl - - gen_require(` - type device_t; - ') - - relabel_lnk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_generic_symlinks'($*)) dnl - ') - - -######################################## -## -## Write generic sock files in /dev. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_generic_sock_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_generic_sock_files'($*)) dnl - - gen_require(` - type device_t; - ') - - write_sock_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_generic_sock_files'($*)) dnl - ') - - -######################################## -## -## Create, delete, read, and write device nodes in device directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_all_dev_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_all_dev_nodes'($*)) dnl - - gen_require(` - attribute device_node, memory_raw_read, memory_raw_write; - type device_t; - ') - - manage_dirs_pattern($1, device_t, device_t) - manage_sock_files_pattern($1, device_t, device_t) - manage_lnk_files_pattern($1, device_t, device_t) - manage_chr_files_pattern($1, device_t, { device_t device_node }) - manage_blk_files_pattern($1, device_t, { device_t device_node }) - relabel_dirs_pattern($1, device_t, device_t) - relabel_chr_files_pattern($1, device_t, { device_t device_node }) - relabel_blk_files_pattern($1, device_t, { device_t device_node }) - allow $1 { device_t device_node }:dir watch; - allow $1 { device_t device_node }:sock_file watch; - allow $1 { device_t device_node }:lnk_file watch; - allow $1 { device_t device_node }:chr_file watch; - allow $1 { device_t device_node }:blk_file watch; - - # these next rules are to satisfy assertions broken by the above lines. - # the permissions hopefully can be cut back a lot - storage_raw_read_fixed_disk($1) - storage_raw_write_fixed_disk($1) - storage_read_scsi_generic($1) - storage_write_scsi_generic($1) - - typeattribute $1 memory_raw_read; - typeattribute $1 memory_raw_write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_all_dev_nodes'($*)) dnl - ') - - -######################################## -## -## Dontaudit getattr for generic device files. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_rw_generic_dev_nodes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_generic_dev_nodes'($*)) dnl - - gen_require(` - type device_t; - ') - - dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_generic_dev_nodes'($*)) dnl - ') - - -######################################## -## -## Create, delete, read, and write block device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_generic_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_generic_blk_files'($*)) dnl - - gen_require(` - type device_t; - ') - - manage_blk_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_generic_blk_files'($*)) dnl - ') - - -######################################## -## -## Create, delete, read, and write character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_generic_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_generic_chr_files'($*)) dnl - - gen_require(` - type device_t; - ') - - manage_chr_files_pattern($1, device_t, device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_generic_chr_files'($*)) dnl - ') - - -######################################## -## -## Create, read, and write device nodes. The node -## will be transitioned to the type provided. -## -## -## -## Domain allowed access. -## -## -## -## -## Type to which the created node will be transitioned. -## -## -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## -## -## -## The name of the object being created. -## -## -# - define(`dev_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_filetrans'($*)) dnl - - gen_require(` - type device_t; - ') - - filetrans_pattern($1, device_t, $2, $3, $4) - - dev_associate($2) - files_associate_tmp($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_filetrans'($*)) dnl - ') - - -######################################## -## -## Create, read, and write device nodes. The node -## will be transitioned to the type provided. This is -## a temporary interface until devtmpfs functionality -## fixed. -## -## -## -## Domain allowed access. -## -## -## -## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -## -## -## -## -## The name of the object being created. -## -## -# - define(`dev_tmpfs_filetrans_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_tmpfs_filetrans_dev'($*)) dnl - - gen_require(` - type device_t; - ') - - fs_tmpfs_filetrans($1, device_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_tmpfs_filetrans_dev'($*)) dnl - ') - - -######################################## -## -## Getattr on all block file device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_getattr_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - getattr_blk_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit getattr on all block file device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - dontaudit $1 { device_t device_node }:blk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Getattr on all character file device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_getattr_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - getattr_chr_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit getattr on all character file device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - dontaudit $1 { device_t device_node }:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Setattr on all block file device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_setattr_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - setattr_blk_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Setattr on all character file device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_setattr_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - setattr_chr_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit read on all block file device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_read_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - ') - - dontaudit $1 device_node:blk_file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit write on all block file device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_write_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - ') - - dontaudit $1 device_node:blk_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit read on all character file device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_read_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node; - ') - - dontaudit $1 device_node:chr_file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit write on all character file device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_write_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node; - ') - - dontaudit $1 device_node:chr_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Create all block device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - create_blk_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Create all character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - create_chr_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Delete all block device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - delete_blk_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Delete all character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - delete_chr_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Rename all block device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rename_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rename_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - rename_blk_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rename_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Rename all character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rename_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rename_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - rename_chr_files_pattern($1, device_t, device_node) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rename_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Read, write, create, and delete all block device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_all_blk_files'($*)) dnl - - gen_require(` - attribute device_node; - type device_t; - ') - - manage_blk_files_pattern($1, device_t, device_node) - - # these next rules are to satisfy assertions broken by the above lines. - storage_raw_read_fixed_disk($1) - storage_raw_write_fixed_disk($1) - storage_read_scsi_generic($1) - storage_write_scsi_generic($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Read, write, create, and delete all character device files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_all_chr_files'($*)) dnl - - gen_require(` - attribute device_node, memory_raw_read, memory_raw_write; - type device_t; - ') - - manage_chr_files_pattern($1, device_t, device_node) - - typeattribute $1 memory_raw_read, memory_raw_write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the apm bios device node. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_acpi_bios_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_acpi_bios_dev'($*)) dnl - - gen_require(` - type device_t, acpi_bios_t; - ') - - getattr_chr_files_pattern($1, device_t, acpi_bios_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_acpi_bios_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## the apm bios device node. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_acpi_bios_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_acpi_bios_dev'($*)) dnl - - gen_require(` - type acpi_bios_t; - ') - - dontaudit $1 acpi_bios_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_acpi_bios_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the apm bios device node. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_acpi_bios_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_acpi_bios_dev'($*)) dnl - - gen_require(` - type device_t, acpi_bios_t; - ') - - setattr_chr_files_pattern($1, device_t, acpi_bios_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_acpi_bios_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes of -## the apm bios device node. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_acpi_bios_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_acpi_bios_dev'($*)) dnl - - gen_require(` - type acpi_bios_t; - ') - - dontaudit $1 acpi_bios_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_acpi_bios_dev'($*)) dnl - ') - - -######################################## -## -## Read and write the apm bios. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_acpi_bios',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_acpi_bios'($*)) dnl - - gen_require(` - type device_t, acpi_bios_t; - ') - - rw_chr_files_pattern($1, device_t, acpi_bios_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_acpi_bios'($*)) dnl - ') - - -######################################## -## -## Getattr the agp devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_agp_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_agp_dev'($*)) dnl - - gen_require(` - type device_t, agp_device_t; - ') - - getattr_chr_files_pattern($1, device_t, agp_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_agp_dev'($*)) dnl - ') - - -######################################## -## -## Read and write the agp devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_agp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_agp'($*)) dnl - - gen_require(` - type device_t, agp_device_t; - ') - - rw_chr_files_pattern($1, device_t, agp_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_agp'($*)) dnl - ') - - - -######################################## -## -## Get the attributes of the autofs device node. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_autofs_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_autofs_dev'($*)) dnl - - gen_require(` - type device_t, autofs_device_t; - ') - - getattr_chr_files_pattern($1, device_t, autofs_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_autofs_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## the autofs device node. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_autofs_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_autofs_dev'($*)) dnl - - gen_require(` - type autofs_device_t; - ') - - dontaudit $1 autofs_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_autofs_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the autofs device node. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_autofs_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_autofs_dev'($*)) dnl - - gen_require(` - type device_t, autofs_device_t; - ') - - setattr_chr_files_pattern($1, device_t, autofs_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_autofs_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes of -## the autofs device node. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_autofs_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_autofs_dev'($*)) dnl - - gen_require(` - type autofs_device_t; - ') - - dontaudit $1 autofs_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_autofs_dev'($*)) dnl - ') - - -######################################## -## -## Read and write the autofs device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_autofs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_autofs'($*)) dnl - - gen_require(` - type device_t, autofs_device_t; - ') - - rw_chr_files_pattern($1, device_t, autofs_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_autofs'($*)) dnl - ') - - -######################################## -## -## Relabel the autofs device node. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabel_autofs_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_autofs_dev'($*)) dnl - - gen_require(` - type autofs_device_t; - ') - - allow $1 autofs_device_t:chr_file relabel_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_autofs_dev'($*)) dnl - ') - - -######################################## -## -## Read and write cachefiles character -## device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_cachefiles',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_cachefiles'($*)) dnl - - gen_require(` - type device_t, cachefiles_device_t; - ') - - rw_chr_files_pattern($1, device_t, cachefiles_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_cachefiles'($*)) dnl - ') - - -######################################## -## -## Read and write the PCMCIA card manager device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_cardmgr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_cardmgr'($*)) dnl - - gen_require(` - type cardmgr_dev_t, device_t; - ') - - rw_chr_files_pattern($1, device_t, cardmgr_dev_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_cardmgr'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write the PCMCIA card manager device. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_rw_cardmgr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_cardmgr'($*)) dnl - - gen_require(` - type cardmgr_dev_t; - ') - - dontaudit $1 cardmgr_dev_t:chr_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_cardmgr'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## the PCMCIA card manager device -## with the correct type. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_cardmgr_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_cardmgr_dev'($*)) dnl - - gen_require(` - type device_t, cardmgr_dev_t; - ') - - create_chr_files_pattern($1, device_t, cardmgr_dev_t) - create_blk_files_pattern($1, device_t, cardmgr_dev_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_cardmgr_dev'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## the PCMCIA card manager device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_cardmgr_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_cardmgr_dev'($*)) dnl - - gen_require(` - type device_t, cardmgr_dev_t; - ') - - manage_chr_files_pattern($1, device_t, cardmgr_dev_t) - manage_blk_files_pattern($1, device_t, cardmgr_dev_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_cardmgr_dev'($*)) dnl - ') - - -######################################## -## -## Automatic type transition to the type -## for PCMCIA card manager device nodes when -## created in /dev. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`dev_filetrans_cardmgr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_filetrans_cardmgr'($*)) dnl - - gen_require(` - type device_t, cardmgr_dev_t; - ') - - filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_filetrans_cardmgr'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the CPU -## microcode and id interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_cpu_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_cpu_dev'($*)) dnl - - gen_require(` - type device_t, cpu_device_t; - ') - - getattr_chr_files_pattern($1, device_t, cpu_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_cpu_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the CPU -## microcode and id interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_cpu_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_cpu_dev'($*)) dnl - - gen_require(` - type device_t, cpu_device_t; - ') - - setattr_chr_files_pattern($1, device_t, cpu_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_cpu_dev'($*)) dnl - ') - - -######################################## -## -## Read the CPU identity. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_cpuid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_cpuid'($*)) dnl - - gen_require(` - type device_t, cpu_device_t; - ') - - read_chr_files_pattern($1, device_t, cpu_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_cpuid'($*)) dnl - ') - - -######################################## -## -## Read and write the the CPU microcode device. This -## is required to load CPU microcode. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_cpu_microcode',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_cpu_microcode'($*)) dnl - - gen_require(` - type device_t, cpu_device_t; - ') - - rw_chr_files_pattern($1, device_t, cpu_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_cpu_microcode'($*)) dnl - ') - - -######################################## -## -## Read the kernel crash device -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_crash',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_crash'($*)) dnl - - gen_require(` - type device_t, crash_device_t; - ') - - read_chr_files_pattern($1, device_t, crash_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_crash'($*)) dnl - ') - - -######################################## -## -## Read and write the the hardware SSL accelerator. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_crypto',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_crypto'($*)) dnl - - gen_require(` - type device_t, crypt_device_t; - ') - - rw_chr_files_pattern($1, device_t, crypt_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_crypto'($*)) dnl - ') - - -####################################### -## -## Set the attributes of the dlm control devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_dlm_control',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_dlm_control'($*)) dnl - - gen_require(` - type device_t, dlm_control_device_t; - ') - - setattr_chr_files_pattern($1, device_t, dlm_control_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_dlm_control'($*)) dnl - ') - - -####################################### -## -## Read and write the the dlm control device -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_dlm_control',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_dlm_control'($*)) dnl - - gen_require(` - type device_t, dlm_control_device_t; - ') - - rw_chr_files_pattern($1, device_t, dlm_control_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_dlm_control'($*)) dnl - ') - - -######################################## -## -## getattr the dri devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_dri_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_dri_dev'($*)) dnl - - gen_require(` - type device_t, dri_device_t; - ') - - getattr_chr_files_pattern($1, device_t, dri_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_dri_dev'($*)) dnl - ') - - -######################################## -## -## Setattr the dri devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_dri_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_dri_dev'($*)) dnl - - gen_require(` - type device_t, dri_device_t; - ') - - setattr_chr_files_pattern($1, device_t, dri_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_dri_dev'($*)) dnl - ') - - -######################################## -## -## IOCTL the dri devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_ioctl_dri_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_ioctl_dri_dev'($*)) dnl - - gen_require(` - type dri_device_t; - ') - - allow $1 dri_device_t:chr_file ioctl; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_ioctl_dri_dev'($*)) dnl - ') - - -######################################## -## -## Read and write the dri devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_dri',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_dri'($*)) dnl - - gen_require(` - type device_t, dri_device_t; - ') - - rw_chr_files_pattern($1, device_t, dri_device_t) - allow $1 dri_device_t:chr_file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_dri'($*)) dnl - ') - - -######################################## -## -## Dontaudit read and write on the dri devices. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_rw_dri',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_dri'($*)) dnl - - gen_require(` - type dri_device_t; - ') - - dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_dri'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete the dri devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_dri_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_dri_dev'($*)) dnl - - gen_require(` - type device_t, dri_device_t; - ') - - manage_chr_files_pattern($1, device_t, dri_device_t) - allow $1 dri_device_t:chr_file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_dri_dev'($*)) dnl - ') - - -######################################## -## -## Automatic type transition to the type -## for DRI device nodes when created in /dev. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`dev_filetrans_dri',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_filetrans_dri'($*)) dnl - - gen_require(` - type device_t, dri_device_t; - ') - - filetrans_pattern($1, device_t, dri_device_t, chr_file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_filetrans_dri'($*)) dnl - ') - - -######################################## -## -## Automatic type transition to the type -## for event device nodes when created in /dev. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`dev_filetrans_input_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_filetrans_input_dev'($*)) dnl - - gen_require(` - type device_t, event_device_t; - ') - - filetrans_pattern($1, device_t, event_device_t, chr_file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_filetrans_input_dev'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the event devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_input_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_input_dev'($*)) dnl - - gen_require(` - type device_t, event_device_t; - ') - - allow $1 device_t:dir list_dir_perms; - allow $1 event_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_input_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the event devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_input_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_input_dev'($*)) dnl - - gen_require(` - type device_t, event_device_t; - ') - - allow $1 device_t:dir list_dir_perms; - allow $1 event_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_input_dev'($*)) dnl - ') - - -######################################## -## -## Read input event devices (/dev/input). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_input',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_input'($*)) dnl - - gen_require(` - type device_t, event_device_t; - ') - - read_chr_files_pattern($1, device_t, event_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_input'($*)) dnl - ') - - -######################################## -## -## Read and write input event devices (/dev/input). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_input_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_input_dev'($*)) dnl - - gen_require(` - type device_t, event_device_t; - ') - - rw_chr_files_pattern($1, device_t, event_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_input_dev'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete input event devices (/dev/input). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_input_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_input_dev'($*)) dnl - - gen_require(` - type device_t, event_device_t; - ') - - manage_chr_files_pattern($1, device_t, event_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_input_dev'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the framebuffer device node. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_framebuffer_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_framebuffer_dev'($*)) dnl - - gen_require(` - type device_t, framebuf_device_t; - ') - - getattr_chr_files_pattern($1, device_t, framebuf_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_framebuffer_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the framebuffer device node. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_framebuffer_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_framebuffer_dev'($*)) dnl - - gen_require(` - type device_t, framebuf_device_t; - ') - - setattr_chr_files_pattern($1, device_t, framebuf_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_framebuffer_dev'($*)) dnl - ') - - -######################################## -## -## Dot not audit attempts to set the attributes -## of the framebuffer device node. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_framebuffer_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_framebuffer_dev'($*)) dnl - - gen_require(` - type framebuf_device_t; - ') - - dontaudit $1 framebuf_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_framebuffer_dev'($*)) dnl - ') - - -######################################## -## -## Read the framebuffer. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_framebuffer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_framebuffer'($*)) dnl - - gen_require(` - type framebuf_device_t, device_t; - ') - - read_chr_files_pattern($1, device_t, framebuf_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_framebuffer'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the framebuffer. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_read_framebuffer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_framebuffer'($*)) dnl - - gen_require(` - type framebuf_device_t; - ') - - dontaudit $1 framebuf_device_t:chr_file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_framebuffer'($*)) dnl - ') - - -######################################## -## -## Write the framebuffer. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_framebuffer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_framebuffer'($*)) dnl - - gen_require(` - type device_t, framebuf_device_t; - ') - - write_chr_files_pattern($1, device_t, framebuf_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_framebuffer'($*)) dnl - ') - - -######################################## -## -## Read and write the framebuffer. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_framebuffer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_framebuffer'($*)) dnl - - gen_require(` - type device_t, framebuf_device_t; - ') - - rw_chr_files_pattern($1, device_t, framebuf_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_framebuffer'($*)) dnl - ') - - -######################################## -## -## Read the kernel messages -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_kmsg',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_kmsg'($*)) dnl - - gen_require(` - type device_t, kmsg_device_t; - ') - - read_chr_files_pattern($1, device_t, kmsg_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_kmsg'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the kernel messages -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_read_kmsg',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_kmsg'($*)) dnl - - gen_require(` - type kmsg_device_t; - ') - - dontaudit $1 kmsg_device_t:chr_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_kmsg'($*)) dnl - ') - - -######################################## -## -## Write to the kernel messages device -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_kmsg',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_kmsg'($*)) dnl - - gen_require(` - type device_t, kmsg_device_t; - ') - - write_chr_files_pattern($1, device_t, kmsg_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_kmsg'($*)) dnl - ') - - -######################################## -## -## Read and write to the kernel messages device -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_kmsg',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_kmsg'($*)) dnl - - gen_require(` - type device_t, kmsg_device_t; - ') - - rw_chr_files_pattern($1, device_t, kmsg_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_kmsg'($*)) dnl - ') - - -######################################## -## -## Mount on the kernel messages device -## -## -## -## Domain allowed access. -## -## -# - define(`dev_mounton_kmsg',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_mounton_kmsg'($*)) dnl - - gen_require(` - type kmsg_device_t; - ') - - allow $1 kmsg_device_t:chr_file mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_mounton_kmsg'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the ksm devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_ksm_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_ksm_dev'($*)) dnl - - gen_require(` - type device_t, ksm_device_t; - ') - - getattr_chr_files_pattern($1, device_t, ksm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_ksm_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the ksm devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_ksm_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_ksm_dev'($*)) dnl - - gen_require(` - type device_t, ksm_device_t; - ') - - setattr_chr_files_pattern($1, device_t, ksm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_ksm_dev'($*)) dnl - ') - - -######################################## -## -## Read the ksm devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_ksm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_ksm'($*)) dnl - - gen_require(` - type device_t, ksm_device_t; - ') - - read_chr_files_pattern($1, device_t, ksm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_ksm'($*)) dnl - ') - - -######################################## -## -## Read and write to ksm devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_ksm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_ksm'($*)) dnl - - gen_require(` - type device_t, ksm_device_t; - ') - - rw_chr_files_pattern($1, device_t, ksm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_ksm'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the kvm devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_kvm_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_kvm_dev'($*)) dnl - - gen_require(` - type device_t, kvm_device_t; - ') - - getattr_chr_files_pattern($1, device_t, kvm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_kvm_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the kvm devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_kvm_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_kvm_dev'($*)) dnl - - gen_require(` - type device_t, kvm_device_t; - ') - - setattr_chr_files_pattern($1, device_t, kvm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_kvm_dev'($*)) dnl - ') - - -######################################## -## -## Read the kvm devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_kvm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_kvm'($*)) dnl - - gen_require(` - type device_t, kvm_device_t; - ') - - read_chr_files_pattern($1, device_t, kvm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_kvm'($*)) dnl - ') - - -######################################## -## -## Read and write to kvm devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_kvm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_kvm'($*)) dnl - - gen_require(` - type device_t, kvm_device_t; - ') - - rw_chr_files_pattern($1, device_t, kvm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_kvm'($*)) dnl - ') - - -###################################### -## -## Read the lirc device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_lirc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_lirc'($*)) dnl - - gen_require(` - type device_t, lirc_device_t; - ') - - read_chr_files_pattern($1, device_t, lirc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_lirc'($*)) dnl - ') - - -###################################### -## -## Read and write the lirc device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_lirc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_lirc'($*)) dnl - - gen_require(` - type device_t, lirc_device_t; - ') - - rw_chr_files_pattern($1, device_t, lirc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_lirc'($*)) dnl - ') - - -###################################### -## -## Automatic type transition to the type -## for lirc device nodes when created in /dev. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`dev_filetrans_lirc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_filetrans_lirc'($*)) dnl - - gen_require(` - type device_t, lirc_device_t; - ') - - filetrans_pattern($1, device_t, lirc_device_t, chr_file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_filetrans_lirc'($*)) dnl - ') - - -###################################### -## -## Read and write the loop-control device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_loop_control',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_loop_control'($*)) dnl - - gen_require(` - type device_t, loop_control_device_t; - ') - - rw_chr_files_pattern($1, device_t, loop_control_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_loop_control'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the lvm comtrol device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_lvm_control',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_lvm_control'($*)) dnl - - gen_require(` - type device_t, lvm_control_t; - ') - - getattr_chr_files_pattern($1, device_t, lvm_control_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_lvm_control'($*)) dnl - ') - - -######################################## -## -## Read the lvm comtrol device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_lvm_control',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_lvm_control'($*)) dnl - - gen_require(` - type device_t, lvm_control_t; - ') - - read_chr_files_pattern($1, device_t, lvm_control_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_lvm_control'($*)) dnl - ') - - -######################################## -## -## Read and write the lvm control device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_lvm_control',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_lvm_control'($*)) dnl - - gen_require(` - type device_t, lvm_control_t; - ') - - rw_chr_files_pattern($1, device_t, lvm_control_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_lvm_control'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write lvm control device. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_rw_lvm_control',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_lvm_control'($*)) dnl - - gen_require(` - type lvm_control_t; - ') - - dontaudit $1 lvm_control_t:chr_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_lvm_control'($*)) dnl - ') - - -######################################## -## -## Delete the lvm control device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_lvm_control_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_lvm_control_dev'($*)) dnl - - gen_require(` - type device_t, lvm_control_t; - ') - - delete_chr_files_pattern($1, device_t, lvm_control_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_lvm_control_dev'($*)) dnl - ') - - -######################################## -## -## dontaudit getattr raw memory devices (e.g. /dev/mem). -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_memory_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_memory_dev'($*)) dnl - - gen_require(` - type memory_device_t; - ') - - dontaudit $1 memory_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_memory_dev'($*)) dnl - ') - - -######################################## -## -## Read raw memory devices (e.g. /dev/mem). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_raw_memory',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_raw_memory'($*)) dnl - - gen_require(` - type device_t, memory_device_t; - attribute memory_raw_read; - ') - - read_chr_files_pattern($1, device_t, memory_device_t) - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_raw_memory'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read raw memory devices -## (e.g. /dev/mem). -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_read_raw_memory',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_raw_memory'($*)) dnl - - gen_require(` - type memory_device_t; - ') - - dontaudit $1 memory_device_t:chr_file read_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_raw_memory'($*)) dnl - ') - - -######################################## -## -## Write raw memory devices (e.g. /dev/mem). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_raw_memory',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_raw_memory'($*)) dnl - - gen_require(` - type device_t, memory_device_t; - attribute memory_raw_write; - ') - - write_chr_files_pattern($1, device_t, memory_device_t) - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_raw_memory'($*)) dnl - ') - - -######################################## -## -## Read and execute raw memory devices (e.g. /dev/mem). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rx_raw_memory',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rx_raw_memory'($*)) dnl - - gen_require(` - type memory_device_t; - ') - - dev_read_raw_memory($1) - allow $1 memory_device_t:chr_file { map execute }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rx_raw_memory'($*)) dnl - ') - - -######################################## -## -## Write and execute raw memory devices (e.g. /dev/mem). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_wx_raw_memory',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_wx_raw_memory'($*)) dnl - - gen_require(` - type memory_device_t; - ') - - dev_write_raw_memory($1) - allow $1 memory_device_t:chr_file { map execute }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_wx_raw_memory'($*)) dnl - ') - - -######################################## -## -## Get the attributes of miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_misc_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_misc_dev'($*)) dnl - - gen_require(` - type device_t, misc_device_t; - ') - - getattr_chr_files_pattern($1, device_t, misc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_misc_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of miscellaneous devices. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_misc_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_misc_dev'($*)) dnl - - gen_require(` - type misc_device_t; - ') - - dontaudit $1 misc_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_misc_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_misc_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_misc_dev'($*)) dnl - - gen_require(` - type device_t, misc_device_t; - ') - - setattr_chr_files_pattern($1, device_t, misc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_misc_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes -## of miscellaneous devices. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_misc_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_misc_dev'($*)) dnl - - gen_require(` - type misc_device_t; - ') - - dontaudit $1 misc_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_misc_dev'($*)) dnl - ') - - -######################################## -## -## Read miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_misc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_misc'($*)) dnl - - gen_require(` - type device_t, misc_device_t; - ') - - read_chr_files_pattern($1, device_t, misc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_misc'($*)) dnl - ') - - -######################################## -## -## Write miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_misc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_misc'($*)) dnl - - gen_require(` - type device_t, misc_device_t; - ') - - write_chr_files_pattern($1, device_t, misc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_misc'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_dontaudit_rw_misc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_misc'($*)) dnl - - gen_require(` - type misc_device_t; - ') - - dontaudit $1 misc_device_t:chr_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_misc'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the modem devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_modem_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_modem_dev'($*)) dnl - - gen_require(` - type device_t, modem_device_t; - ') - - getattr_chr_files_pattern($1, device_t, modem_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_modem_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the modem devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_modem_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_modem_dev'($*)) dnl - - gen_require(` - type device_t, modem_device_t; - ') - - setattr_chr_files_pattern($1, device_t, modem_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_modem_dev'($*)) dnl - ') - - -######################################## -## -## Read the modem devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_modem',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_modem'($*)) dnl - - gen_require(` - type device_t, modem_device_t; - ') - - read_chr_files_pattern($1, device_t, modem_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_modem'($*)) dnl - ') - - -######################################## -## -## Read and write to modem devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_modem',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_modem'($*)) dnl - - gen_require(` - type device_t, modem_device_t; - ') - - rw_chr_files_pattern($1, device_t, modem_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_modem'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the mouse devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_mouse_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_mouse_dev'($*)) dnl - - gen_require(` - type device_t, mouse_device_t; - ') - - getattr_chr_files_pattern($1, device_t, mouse_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_mouse_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the mouse devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_mouse_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_mouse_dev'($*)) dnl - - gen_require(` - type device_t, mouse_device_t; - ') - - setattr_chr_files_pattern($1, device_t, mouse_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_mouse_dev'($*)) dnl - ') - - -######################################## -## -## Read the mouse devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_mouse',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_mouse'($*)) dnl - - gen_require(` - type device_t, mouse_device_t; - ') - - read_chr_files_pattern($1, device_t, mouse_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_mouse'($*)) dnl - ') - - -######################################## -## -## Read and write to mouse devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_mouse',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_mouse'($*)) dnl - - gen_require(` - type device_t, mouse_device_t; - ') - - rw_chr_files_pattern($1, device_t, mouse_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_mouse'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the memory type range -## registers (MTRR) device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_mtrr_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_mtrr_dev'($*)) dnl - - gen_require(` - type device_t, mtrr_device_t; - ') - - getattr_files_pattern($1, device_t, mtrr_device_t) - getattr_chr_files_pattern($1, device_t, mtrr_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_mtrr_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write the memory type -## range registers (MTRR). -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_write_mtrr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_mtrr'($*)) dnl - - gen_require(` - type mtrr_device_t; - ') - - dontaudit $1 mtrr_device_t:file write; - dontaudit $1 mtrr_device_t:chr_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_mtrr'($*)) dnl - ') - - -######################################## -## -## Read and write the memory type range registers (MTRR). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_mtrr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_mtrr'($*)) dnl - - gen_require(` - type device_t, mtrr_device_t; - ') - - rw_files_pattern($1, device_t, mtrr_device_t) - rw_chr_files_pattern($1, device_t, mtrr_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_mtrr'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the network control device (Deprecated) -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_netcontrol_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_netcontrol_dev'($*)) dnl - - refpolicywarn(`$0() has been deprecated, use dev_getattr_pmqos_dev() instead.') - dev_getattr_pmqos_dev($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_netcontrol_dev'($*)) dnl - ') - - -######################################## -## -## Read the network control identity. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_netcontrol',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_netcontrol'($*)) dnl - - refpolicywarn(`$0() has been deprecated, use dev_read_pmqos() instead.') - dev_read_pmqos($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_netcontrol'($*)) dnl - ') - - -######################################## -## -## Read and write the the network control device. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_netcontrol',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_netcontrol'($*)) dnl - - refpolicywarn(`$0() has been deprecated, use dev_rw_pmqos() instead.') - dev_rw_pmqos($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_netcontrol'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the null device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_null_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_null_dev'($*)) dnl - - gen_require(` - type device_t, null_device_t; - ') - - getattr_chr_files_pattern($1, device_t, null_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_null_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the null device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_null_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_null_dev'($*)) dnl - - gen_require(` - type device_t, null_device_t; - ') - - setattr_chr_files_pattern($1, device_t, null_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_null_dev'($*)) dnl - ') - - -######################################## -## -## Delete the null device (/dev/null). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_delete_null',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_delete_null'($*)) dnl - - gen_require(` - type device_t, null_device_t; - ') - - delete_chr_files_pattern($1, device_t, null_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_delete_null'($*)) dnl - ') - - -######################################## -## -## Read and write to the null device (/dev/null). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_null',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_null'($*)) dnl - - gen_require(` - type device_t, null_device_t; - ') - - rw_chr_files_pattern($1, device_t, null_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_null'($*)) dnl - ') - - -######################################## -## -## Create the null device (/dev/null). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_null_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_null_dev'($*)) dnl - - gen_require(` - type device_t, null_device_t; - ') - - create_chr_files_pattern($1, device_t, null_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_null_dev'($*)) dnl - ') - - -######################################## -## -## Manage services with script type null_device_t for when -## /lib/systemd/system/something.service is a link to /dev/null -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_null_service',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_null_service'($*)) dnl - - gen_require(` - type null_device_t; - class service { status start stop reload }; - ') - - allow $1 null_device_t:service { status start stop reload }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_null_service'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of the BIOS non-volatile RAM device. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_nvram_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_nvram_dev'($*)) dnl - - gen_require(` - type nvram_device_t; - ') - - dontaudit $1 nvram_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_nvram_dev'($*)) dnl - ') - - -######################################## -## -## Read and write BIOS non-volatile RAM. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_nvram',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_nvram'($*)) dnl - - gen_require(` - type nvram_device_t, device_t; - ') - - rw_chr_files_pattern($1, device_t, nvram_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_nvram'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the printer device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_printer_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_printer_dev'($*)) dnl - - gen_require(` - type device_t, printer_device_t; - ') - - getattr_chr_files_pattern($1, device_t, printer_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_printer_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the printer device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_printer_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_printer_dev'($*)) dnl - - gen_require(` - type device_t, printer_device_t; - ') - - setattr_chr_files_pattern($1, device_t, printer_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_printer_dev'($*)) dnl - ') - - -######################################## -## -## Append the printer device. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for lpd/checkpc_t - define(`dev_append_printer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_append_printer'($*)) dnl - - gen_require(` - type device_t, printer_device_t; - ') - - append_chr_files_pattern($1, device_t, printer_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_append_printer'($*)) dnl - ') - - -######################################## -## -## Read and write the printer device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_printer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_printer'($*)) dnl - - gen_require(` - type device_t, printer_device_t; - ') - - rw_chr_files_pattern($1, device_t, printer_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_printer'($*)) dnl - ') - - -######################################## -## -## Get the attributes of PM QoS devices -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_pmqos_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_pmqos_dev'($*)) dnl - - gen_require(` - type device_t, pmqos_device_t; - ') - - getattr_chr_files_pattern($1, device_t, pmqos_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_pmqos_dev'($*)) dnl - ') - - -######################################## -## -## Read the PM QoS devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_pmqos',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_pmqos'($*)) dnl - - gen_require(` - type device_t, pmqos_device_t; - ') - - read_chr_files_pattern($1, device_t, pmqos_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_pmqos'($*)) dnl - ') - - -######################################## -## -## Read and write the the PM QoS devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_pmqos',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_pmqos'($*)) dnl - - gen_require(` - type device_t, pmqos_device_t; - ') - - rw_chr_files_pattern($1, device_t, pmqos_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_pmqos'($*)) dnl - ') - - -######################################## -## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_printk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_printk'($*)) dnl - - refpolicywarn(`$0() has been deprecated.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_printk'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the QEMU -## microcode and id interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_qemu_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_qemu_dev'($*)) dnl - - gen_require(` - type device_t, qemu_device_t; - ') - - getattr_chr_files_pattern($1, device_t, qemu_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_qemu_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the QEMU -## microcode and id interfaces. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_qemu_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_qemu_dev'($*)) dnl - - gen_require(` - type device_t, qemu_device_t; - ') - - setattr_chr_files_pattern($1, device_t, qemu_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_qemu_dev'($*)) dnl - ') - - -######################################## -## -## Read the QEMU device -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_qemu',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_qemu'($*)) dnl - - gen_require(` - type device_t, qemu_device_t; - ') - - read_chr_files_pattern($1, device_t, qemu_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_qemu'($*)) dnl - ') - - -######################################## -## -## Read and write the the QEMU device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_qemu',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_qemu'($*)) dnl - - gen_require(` - type device_t, qemu_device_t; - ') - - rw_chr_files_pattern($1, device_t, qemu_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_qemu'($*)) dnl - ') - - -######################################## -## -## Read from random number generator -## devices (e.g., /dev/random). -## -## -##

-## Allow the specified domain to read from random number -## generator devices (e.g., /dev/random). Typically this is -## used in situations when a cryptographically secure random -## number is needed. -##

-##

-## Related interface: -##

-##
    -##
  • dev_read_urand()
    • -##
-## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_read_rand',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_rand'($*)) dnl - - gen_require(` - type device_t, random_device_t; - ') - - read_chr_files_pattern($1, device_t, random_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_rand'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read from random -## number generator devices (e.g., /dev/random) -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_read_rand',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_rand'($*)) dnl - - gen_require(` - type random_device_t; - ') - - dontaudit $1 random_device_t:chr_file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_rand'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to append to random -## number generator devices (e.g., /dev/random) -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_append_rand',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_append_rand'($*)) dnl - - gen_require(` - type random_device_t; - ') - - dontaudit $1 random_device_t:chr_file append_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_append_rand'($*)) dnl - ') - - -######################################## -## -## Write to the random device (e.g., /dev/random). This adds -## entropy used to generate the random data read from the -## random device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_rand',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_rand'($*)) dnl - - gen_require(` - type device_t, random_device_t; - ') - - write_chr_files_pattern($1, device_t, random_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_rand'($*)) dnl - ') - - -######################################## -## -## Read the realtime clock (/dev/rtc). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_realtime_clock',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_realtime_clock'($*)) dnl - - gen_require(` - type device_t, clock_device_t; - ') - - read_chr_files_pattern($1, device_t, clock_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_realtime_clock'($*)) dnl - ') - - -######################################## -## -## Set the realtime clock (/dev/rtc). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_realtime_clock',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_realtime_clock'($*)) dnl - - gen_require(` - type device_t, clock_device_t; - ') - - write_chr_files_pattern($1, device_t, clock_device_t) - - allow $1 clock_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_realtime_clock'($*)) dnl - ') - - -######################################## -## -## Read and set the realtime clock (/dev/rtc). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_realtime_clock',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_realtime_clock'($*)) dnl - - dev_read_realtime_clock($1) - dev_write_realtime_clock($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_realtime_clock'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the scanner device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_scanner_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_scanner_dev'($*)) dnl - - gen_require(` - type device_t, scanner_device_t; - ') - - getattr_chr_files_pattern($1, device_t, scanner_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_scanner_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## the scanner device. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_scanner_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_scanner_dev'($*)) dnl - - gen_require(` - type scanner_device_t; - ') - - dontaudit $1 scanner_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_scanner_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the scanner device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_scanner_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_scanner_dev'($*)) dnl - - gen_require(` - type device_t, scanner_device_t; - ') - - setattr_chr_files_pattern($1, device_t, scanner_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_scanner_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes of -## the scanner device. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_scanner_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_scanner_dev'($*)) dnl - - gen_require(` - type scanner_device_t; - ') - - dontaudit $1 scanner_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_scanner_dev'($*)) dnl - ') - - -######################################## -## -## Read and write the scanner device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_scanner',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_scanner'($*)) dnl - - gen_require(` - type device_t, scanner_device_t; - ') - - rw_chr_files_pattern($1, device_t, scanner_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_scanner'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the sound devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_sound_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_sound_dev'($*)) dnl - - gen_require(` - type device_t, sound_device_t; - ') - - getattr_chr_files_pattern($1, device_t, sound_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_sound_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the sound devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_sound_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_sound_dev'($*)) dnl - - gen_require(` - type device_t, sound_device_t; - ') - - setattr_chr_files_pattern($1, device_t, sound_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_sound_dev'($*)) dnl - ') - - -######################################## -## -## Read the sound devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_sound',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_sound'($*)) dnl - - gen_require(` - type device_t, sound_device_t; - ') - - read_chr_files_pattern($1, device_t, sound_device_t) - allow $1 sound_device_t:chr_file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_sound'($*)) dnl - ') - - -######################################## -## -## Write the sound devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_sound',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_sound'($*)) dnl - - gen_require(` - type device_t, sound_device_t; - ') - - write_chr_files_pattern($1, device_t, sound_device_t) - allow $1 sound_device_t:chr_file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_sound'($*)) dnl - ') - - -######################################## -## -## Read the sound mixer devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_sound_mixer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_sound_mixer'($*)) dnl - - gen_require(` - type device_t, sound_device_t; - ') - - read_chr_files_pattern($1, device_t, sound_device_t) - allow $1 sound_device_t:chr_file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_sound_mixer'($*)) dnl - ') - - -######################################## -## -## Write the sound mixer devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_sound_mixer',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_sound_mixer'($*)) dnl - - gen_require(` - type device_t, sound_device_t; - ') - - write_chr_files_pattern($1, device_t, sound_device_t) - allow $1 sound_device_t:chr_file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_sound_mixer'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the the power management device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_power_mgmt_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_power_mgmt_dev'($*)) dnl - - gen_require(` - type device_t, power_device_t; - ') - - getattr_chr_files_pattern($1, device_t, power_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_power_mgmt_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the the power management device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_power_mgmt_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_power_mgmt_dev'($*)) dnl - - gen_require(` - type device_t, power_device_t; - ') - - setattr_chr_files_pattern($1, device_t, power_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_power_mgmt_dev'($*)) dnl - ') - - -######################################## -## -## Read and write the the power management device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_power_management',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_power_management'($*)) dnl - - gen_require(` - type device_t, power_device_t; - ') - - rw_chr_files_pattern($1, device_t, power_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_power_management'($*)) dnl - ') - - -######################################## -## -## Getattr on smartcard devices -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_smartcard_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_smartcard_dev'($*)) dnl - - gen_require(` - type smartcard_device_t; - ') - - allow $1 smartcard_device_t:chr_file getattr; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_smartcard_dev'($*)) dnl - ') - - -######################################## -## -## dontaudit getattr on smartcard devices -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_smartcard_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_smartcard_dev'($*)) dnl - - gen_require(` - type smartcard_device_t; - ') - - dontaudit $1 smartcard_device_t:chr_file getattr; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_smartcard_dev'($*)) dnl - ') - - -######################################## -## -## Read and write smartcard devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_smartcard',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_smartcard'($*)) dnl - - gen_require(` - type device_t, smartcard_device_t; - ') - - rw_chr_files_pattern($1, device_t, smartcard_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_smartcard'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete smartcard devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_smartcard',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_smartcard'($*)) dnl - - gen_require(` - type device_t, smartcard_device_t; - ') - - manage_chr_files_pattern($1, device_t, smartcard_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_smartcard'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on sysfs. -## -## -## -## Domain allow access. -## -## -# - define(`dev_mounton_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_mounton_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_mounton_sysfs'($*)) dnl - ') - - -######################################## -## -## Associate a file to a sysfs filesystem. -## -## -## -## The type of the file to be associated to sysfs. -## -## -# - define(`dev_associate_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_associate_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_associate_sysfs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of sysfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_sysfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_sysfs_dirs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:dir getattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_sysfs_dirs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of sysfs filesystem -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_sysfs'($*)) dnl - ') - - -######################################## -## -## mount a sysfs filesystem -## -## -## -## Domain allowed access. -## -## -# - define(`dev_mount_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_mount_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_mount_sysfs'($*)) dnl - ') - - -######################################## -## -## Do not audit getting the attributes of sysfs filesystem -## -## -## -## Domain to dontaudit access from -## -## -# - define(`dev_dontaudit_getattr_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - dontaudit $1 sysfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_sysfs'($*)) dnl - ') - - -######################################## -## -## Dont audit attempts to read hardware state information -## -## -## -## Domain for which the attempts do not need to be audited -## -## -# - define(`dev_dontaudit_read_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - dontaudit $1 sysfs_t:file read_file_perms; - dontaudit $1 sysfs_t:dir list_dir_perms; - dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_sysfs'($*)) dnl - ') - - -######################################## -## -## mounton sysfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_mounton_sysfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_mounton_sysfs_dirs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_mounton_sysfs_dirs'($*)) dnl - ') - - -######################################## -## -## Search the sysfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_search_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_search_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - search_dirs_pattern($1, sysfs_t, sysfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_search_sysfs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search sysfs. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_search_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_search_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - dontaudit $1 sysfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_search_sysfs'($*)) dnl - ') - - -######################################## -## -## List the contents of the sysfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_list_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_list_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - list_dirs_pattern($1, sysfs_t, sysfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_list_sysfs'($*)) dnl - ') - - -######################################## -## -## Write in a sysfs directories. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for cpuspeed - define(`dev_write_sysfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_sysfs_dirs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_sysfs_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write in a sysfs directory. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_write_sysfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_sysfs_dirs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - dontaudit $1 sysfs_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_sysfs_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete sysfs -## directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_sysfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_sysfs_dirs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - manage_dirs_pattern($1, sysfs_t, sysfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_sysfs_dirs'($*)) dnl - ') - - -######################################## -## -## Read hardware state information. -## -## -##

-## Allow the specified domain to read the contents of -## the sysfs filesystem. This filesystem contains -## information, parameters, and other settings on the -## hardware installed on the system. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_read_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - read_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_sysfs'($*)) dnl - ') - - -######################################## -## -## Allow caller to modify hardware state information. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_sysfs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_sysfs'($*)) dnl - ') - - -######################################## -## -## Add a sysfs file -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_sysfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_sysfs_files'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - create_files_pattern($1, sysfs_t, sysfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_sysfs_files'($*)) dnl - ') - - -######################################## -## -## Relabel hardware state directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabel_sysfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_sysfs_dirs'($*)) dnl - - gen_require(` - type sysfs_t; - ') - - relabel_dirs_pattern($1, sysfs_t, sysfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_sysfs_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel from/to all sysfs types. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabel_all_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_all_sysfs'($*)) dnl - - gen_require(` - attribute sysfs_types; - ') - - allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms }; - allow $1 sysfs_types:file relabel_file_perms; - allow $1 sysfs_types:lnk_file relabel_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_all_sysfs'($*)) dnl - ') - - -######################################## -## -## Set the attributes of sysfs files, directories and symlinks. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_all_sysfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_all_sysfs'($*)) dnl - - gen_require(` - attribute sysfs_types; - ') - - allow $1 sysfs_types:dir { search_dir_perms setattr }; - allow $1 sysfs_types:file setattr; - allow $1 sysfs_types:lnk_file { read_lnk_file_perms setattr }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_all_sysfs'($*)) dnl - ') - - -######################################## -## -## Read and write the TPM device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_tpm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_tpm'($*)) dnl - - gen_require(` - type device_t, tpm_device_t; - ') - - rw_chr_files_pattern($1, device_t, tpm_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_tpm'($*)) dnl - ') - - -######################################## -## -## Read from pseudo random number generator devices (e.g., /dev/urandom). -## -## -##

-## Allow the specified domain to read from pseudo random number -## generator devices (e.g., /dev/urandom). Typically this is -## used in situations when a cryptographically secure random -## number is not necessarily needed. One example is the Stack -## Smashing Protector (SSP, formerly known as ProPolice) support -## that may be compiled into programs. -##

-##

-## Related interface: -##

-##
    -##
  • dev_read_rand()
    • -##
-##

-## Related tunable: -##

-##
    -##
  • global_ssp
    • -##
-## -## -## -## Domain allowed access. -## -## -## -# - define(`dev_read_urand',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_urand'($*)) dnl - - gen_require(` - type device_t, urandom_device_t; - ') - - read_chr_files_pattern($1, device_t, urandom_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_urand'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read from pseudo -## random devices (e.g., /dev/urandom) -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_read_urand',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_urand'($*)) dnl - - gen_require(` - type urandom_device_t; - ') - - dontaudit $1 urandom_device_t:chr_file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_urand'($*)) dnl - ') - - -######################################## -## -## Write to the pseudo random device (e.g., /dev/urandom). This -## sets the random number generator seed. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_urand',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_urand'($*)) dnl - - gen_require(` - type device_t, urandom_device_t; - ') - - write_chr_files_pattern($1, device_t, urandom_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_urand'($*)) dnl - ') - - -######################################## -## -## Getattr generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_generic_usb_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_usb_dev'($*)) dnl - - gen_require(` - type usb_device_t, device_t; - ') - - getattr_chr_files_pattern($1, device_t, usb_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_generic_usb_dev'($*)) dnl - ') - - -######################################## -## -## Setattr generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_generic_usb_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_usb_dev'($*)) dnl - - gen_require(` - type usb_device_t, device_t; - ') - - setattr_chr_files_pattern($1, device_t, usb_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_generic_usb_dev'($*)) dnl - ') - - -######################################## -## -## Read generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_generic_usb_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_generic_usb_dev'($*)) dnl - - gen_require(` - type usb_device_t, device_t; - ') - - read_chr_files_pattern($1, device_t, usb_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_generic_usb_dev'($*)) dnl - ') - - -######################################## -## -## Read and write generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_generic_usb_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_generic_usb_dev'($*)) dnl - - gen_require(` - type device_t, usb_device_t; - ') - - rw_chr_files_pattern($1, device_t, usb_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_generic_usb_dev'($*)) dnl - ') - - -######################################## -## -## Relabel generic the USB devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabel_generic_usb_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_usb_dev'($*)) dnl - - gen_require(` - type usb_device_t, device_t; - ') - - relabel_chr_files_pattern($1, device_t, usb_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_generic_usb_dev'($*)) dnl - ') - - -######################################## -## -## Read USB monitor devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_usbmon_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_usbmon_dev'($*)) dnl - - gen_require(` - type device_t, usbmon_device_t; - ') - - read_chr_files_pattern($1, device_t, usbmon_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_usbmon_dev'($*)) dnl - ') - - -######################################## -## -## Write USB monitor devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_usbmon_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_usbmon_dev'($*)) dnl - - gen_require(` - type device_t, usbmon_device_t; - ') - - write_chr_files_pattern($1, device_t, usbmon_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_usbmon_dev'($*)) dnl - ') - - -######################################## -## -## Mount a usbfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_mount_usbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_mount_usbfs'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - allow $1 usbfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_mount_usbfs'($*)) dnl - ') - - -######################################## -## -## Associate a file to a usbfs filesystem. -## -## -## -## The type of the file to be associated to usbfs. -## -## -# - define(`dev_associate_usbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_associate_usbfs'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - allow $1 usbfs_t:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_associate_usbfs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a directory in the usb filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_usbfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_usbfs_dirs'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - allow $1 usbfs_t:dir getattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_usbfs_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of a directory in the usb filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_usbfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_usbfs_dirs'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - dontaudit $1 usbfs_t:dir getattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_usbfs_dirs'($*)) dnl - ') - - -######################################## -## -## Search the directory containing USB hardware information. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_search_usbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_search_usbfs'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - search_dirs_pattern($1, usbfs_t, usbfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_search_usbfs'($*)) dnl - ') - - -######################################## -## -## Allow caller to get a list of usb hardware. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_list_usbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_list_usbfs'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - getattr_files_pattern($1, usbfs_t, usbfs_t) - - list_dirs_pattern($1, usbfs_t, usbfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_list_usbfs'($*)) dnl - ') - - -######################################## -## -## Set the attributes of usbfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_usbfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_usbfs_files'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - setattr_files_pattern($1, usbfs_t, usbfs_t) - list_dirs_pattern($1, usbfs_t, usbfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_usbfs_files'($*)) dnl - ') - - -######################################## -## -## Read USB hardware information using -## the usbfs filesystem interface. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_usbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_usbfs'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - read_files_pattern($1, usbfs_t, usbfs_t) - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - list_dirs_pattern($1, usbfs_t, usbfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_usbfs'($*)) dnl - ') - - -######################################## -## -## Allow caller to modify usb hardware configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_usbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_usbfs'($*)) dnl - - gen_require(` - type usbfs_t; - ') - - list_dirs_pattern($1, usbfs_t, usbfs_t) - rw_files_pattern($1, usbfs_t, usbfs_t) - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_usbfs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of video4linux devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_video_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_video_dev'($*)) dnl - - gen_require(` - type device_t, v4l_device_t; - ') - - getattr_chr_files_pattern($1, device_t, v4l_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_video_dev'($*)) dnl - ') - - -###################################### -## -## Read and write userio device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_userio_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_userio_dev'($*)) dnl - - gen_require(` - type device_t, userio_device_t; - ') - - rw_chr_files_pattern($1, device_t, userio_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_userio_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of video4linux device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_getattr_video_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_video_dev'($*)) dnl - - gen_require(` - type v4l_device_t; - ') - - dontaudit $1 v4l_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_video_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of video4linux device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_video_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_video_dev'($*)) dnl - - gen_require(` - type device_t, v4l_device_t; - ') - - setattr_chr_files_pattern($1, device_t, v4l_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_video_dev'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes -## of video4linux device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`dev_dontaudit_setattr_video_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_video_dev'($*)) dnl - - gen_require(` - type v4l_device_t; - ') - - dontaudit $1 v4l_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_video_dev'($*)) dnl - ') - - -######################################## -## -## Read the video4linux devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_video_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_video_dev'($*)) dnl - - gen_require(` - type device_t, v4l_device_t; - ') - - read_chr_files_pattern($1, device_t, v4l_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_video_dev'($*)) dnl - ') - - -######################################## -## -## Write the video4linux devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_video_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_video_dev'($*)) dnl - - gen_require(` - type device_t, v4l_device_t; - ') - - write_chr_files_pattern($1, device_t, v4l_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_video_dev'($*)) dnl - ') - - -######################################## -## -## Read and write vfio devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_vfio_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_vfio_dev'($*)) dnl - - gen_require(` - type device_t, vfio_device_t; - ') - - rw_chr_files_pattern($1, device_t, vfio_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_vfio_dev'($*)) dnl - ') - - -######################################## -## -## Relabel vfio devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabelfrom_vfio_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabelfrom_vfio_dev'($*)) dnl - - gen_require(` - type device_t, vfio_device_t; - ') - - relabelfrom_chr_files_pattern($1, device_t, vfio_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabelfrom_vfio_dev'($*)) dnl - ') - - -############################ -## -## Allow read/write the vhost devices -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_vhost',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_vhost'($*)) dnl - - gen_require(` - type device_t, vhost_device_t; - ') - - rw_chr_files_pattern($1, device_t, vhost_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_vhost'($*)) dnl - ') - - -######################################## -## -## Read and write VMWare devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_vmware',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_vmware'($*)) dnl - - gen_require(` - type device_t, vmware_device_t; - ') - - rw_chr_files_pattern($1, device_t, vmware_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_vmware'($*)) dnl - ') - - -######################################## -## -## Read, write, and mmap VMWare devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rwx_vmware',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rwx_vmware'($*)) dnl - - gen_require(` - type vmware_device_t; - ') - - dev_rw_vmware($1) - allow $1 vmware_device_t:chr_file { map execute }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rwx_vmware'($*)) dnl - ') - - -######################################## -## -## Read from watchdog devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_watchdog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_watchdog'($*)) dnl - - gen_require(` - type device_t, watchdog_device_t; - ') - - read_chr_files_pattern($1, device_t, watchdog_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_watchdog'($*)) dnl - ') - - -######################################## -## -## Write to watchdog devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_write_watchdog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_write_watchdog'($*)) dnl - - gen_require(` - type device_t, watchdog_device_t; - ') - - write_chr_files_pattern($1, device_t, watchdog_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_write_watchdog'($*)) dnl - ') - - -######################################## -## -## Read and write the the wireless device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_wireless',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_wireless'($*)) dnl - - gen_require(` - type device_t, wireless_device_t; - ') - - rw_chr_files_pattern($1, device_t, wireless_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_wireless'($*)) dnl - ') - - -######################################## -## -## manage the wireless device. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_wireless',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_wireless'($*)) dnl - - gen_require(` - type device_t, wireless_device_t; - ') - - manage_chr_files_pattern($1, device_t, wireless_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_wireless'($*)) dnl - ') - - -######################################## -## -## Read and write Xen devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_xen',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_xen'($*)) dnl - - gen_require(` - type device_t, xen_device_t; - ') - - rw_chr_files_pattern($1, device_t, xen_device_t) - allow $1 xen_device_t:chr_file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_xen'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete Xen devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_manage_xen',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_manage_xen'($*)) dnl - - gen_require(` - type device_t, xen_device_t; - ') - - manage_chr_files_pattern($1, device_t, xen_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_manage_xen'($*)) dnl - ') - - -######################################## -## -## Automatic type transition to the type -## for xen device nodes when created in /dev. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`dev_filetrans_xen',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_filetrans_xen'($*)) dnl - - gen_require(` - type device_t, xen_device_t; - ') - - filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_filetrans_xen'($*)) dnl - ') - - -######################################## -## -## Get the attributes of X server miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_getattr_xserver_misc_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_getattr_xserver_misc_dev'($*)) dnl - - gen_require(` - type device_t, xserver_misc_device_t; - ') - - getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_getattr_xserver_misc_dev'($*)) dnl - ') - - -######################################## -## -## Set the attributes of X server miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_setattr_xserver_misc_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_setattr_xserver_misc_dev'($*)) dnl - - gen_require(` - type device_t, xserver_misc_device_t; - ') - - setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_setattr_xserver_misc_dev'($*)) dnl - ') - - -######################################## -## -## Read and write X server miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_xserver_misc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_xserver_misc'($*)) dnl - - gen_require(` - type device_t, xserver_misc_device_t; - ') - - rw_chr_files_pattern($1, device_t, xserver_misc_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_xserver_misc'($*)) dnl - ') - - -######################################## -## -## Map X server miscellaneous devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_map_xserver_misc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_map_xserver_misc'($*)) dnl - - gen_require(` - type xserver_misc_device_t; - ') - - allow $1 xserver_misc_device_t:chr_file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_map_xserver_misc'($*)) dnl - ') - - -######################################## -## -## Read and write to the zero device (/dev/zero). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rw_zero',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rw_zero'($*)) dnl - - gen_require(` - type device_t, zero_device_t; - ') - - rw_chr_files_pattern($1, device_t, zero_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rw_zero'($*)) dnl - ') - - -######################################## -## -## Read, write, and execute the zero device (/dev/zero). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_rwx_zero',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_rwx_zero'($*)) dnl - - gen_require(` - type zero_device_t; - ') - - dev_rw_zero($1) - allow $1 zero_device_t:chr_file { map execute }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_rwx_zero'($*)) dnl - ') - - -######################################## -## -## Execmod the zero device (/dev/zero). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_execmod_zero',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_execmod_zero'($*)) dnl - - gen_require(` - type zero_device_t; - ') - - dev_rw_zero($1) - allow $1 zero_device_t:chr_file execmod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_execmod_zero'($*)) dnl - ') - - -######################################## -## -## Create the zero device (/dev/zero). -## -## -## -## Domain allowed access. -## -## -# - define(`dev_create_zero_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_create_zero_dev'($*)) dnl - - gen_require(` - type device_t, zero_device_t; - ') - - create_chr_files_pattern($1, device_t, zero_device_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_create_zero_dev'($*)) dnl - ') - - -######################################## -## -## Read cpu online hardware state information -## -## -##

-## Allow the specified domain to read /sys/devices/system/cpu/online -##

-## -## -## -## Domain allowed access. -## -## -# - define(`dev_read_cpu_online',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_read_cpu_online'($*)) dnl - - gen_require(` - type cpu_online_t; - ') - - allow $1 cpu_online_t:file read_file_perms; - - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_read_cpu_online'($*)) dnl - ') - - -######################################## -## -## Unconfined access to devices. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_unconfined'($*)) dnl - - gen_require(` - attribute devices_unconfined_type; - ') - - typeattribute $1 devices_unconfined_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_unconfined'($*)) dnl - ') - - -# We cannot use ifdef distro_gentoo for interfaces - -######################################## -## -## Relabel cpu online hardware state information. -## -## -## -## Domain allowed access. -## -## -# - define(`dev_relabel_cpu_online',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_relabel_cpu_online'($*)) dnl - - gen_require(` - type cpu_online_t; - ') - - dev_search_sysfs($1) - allow $1 cpu_online_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_relabel_cpu_online'($*)) dnl - ') - - -######################################## -## -## Dont audit attempts to read usbmon devices -## -## -## -## Domain for which the attempts do not need to be audited -## -## -# - define(`dev_dontaudit_read_usbmon_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_usbmon_dev'($*)) dnl - - gen_require(` - type usbmon_device_t; - ') - - dontaudit $1 usbmon_device_t:chr_file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_usbmon_dev'($*)) dnl - ') - - -## Multicategory security policy -## -## Contains attributes used in MCS policy. -## - -######################################## -## -## Constrain by category access control (MCS). -## -## -##

-## Constrain the specified type by category based -## access control (MCS) This prevents this domain from -## interacting with subjects and operating on objects -## that it otherwise would be able to interact -## with or operate on respectively. -##

-## -## -## -## Type to be constrained by MCS. -## -## -## -# - define(`mcs_constrained',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mcs_constrained'($*)) dnl - - gen_require(` - attribute mcs_constrained_type; - ') - - typeattribute $1 mcs_constrained_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mcs_constrained'($*)) dnl - ') - - -######################################## -## -## This domain is allowed to read files and directories -## regardless of their MCS category set. -## -## -## -## Domain target for user exemption. -## -## -## -# - define(`mcs_file_read_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mcs_file_read_all'($*)) dnl - - gen_require(` - attribute mcsreadall; - ') - - typeattribute $1 mcsreadall; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mcs_file_read_all'($*)) dnl - ') - - -######################################## -## -## This domain is allowed to write files and directories -## regardless of their MCS category set. -## -## -## -## Domain target for user exemption. -## -## -## -# - define(`mcs_file_write_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mcs_file_write_all'($*)) dnl - - gen_require(` - attribute mcswriteall; - ') - - typeattribute $1 mcswriteall; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mcs_file_write_all'($*)) dnl - ') - - -######################################## -## -## This domain is allowed to sigkill and sigstop -## all domains regardless of their MCS category set. -## -## -## -## Domain target for user exemption. -## -## -## -# - define(`mcs_killall',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mcs_killall'($*)) dnl - - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mcs_killall'($*)) dnl - ') - - -######################################## -## -## This domain is allowed to ptrace -## all domains regardless of their MCS -## category set. -## -## -## -## Domain target for user exemption. -## -## -# - define(`mcs_ptrace_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mcs_ptrace_all'($*)) dnl - - gen_require(` - attribute mcsptraceall; - ') - - typeattribute $1 mcsptraceall; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mcs_ptrace_all'($*)) dnl - ') - - -######################################## -## -## Make specified domain MCS trusted -## for setting any category set for -## the processes it executes. -## -## -## -## Domain target for user exemption. -## -## -# - define(`mcs_process_set_categories',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mcs_process_set_categories'($*)) dnl - - gen_require(` - attribute mcssetcats; - ') - - typeattribute $1 mcssetcats; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mcs_process_set_categories'($*)) dnl - ') - -## -## Core policy for shells, and generic programs -## in /bin, /sbin, /usr/bin, and /usr/sbin. -## -## -## Contains the base bin and sbin directory types -## which need to be searched for the kernel to -## run init. -## - -######################################## -## -## Make the specified type usable for files -## that are exectuables, such as binary programs. -## This does not include shared libraries. -## -## -## -## Type to be used for files. -## -## -# - define(`corecmd_executable_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_executable_file'($*)) dnl - - gen_require(` - attribute exec_type; - ') - - typeattribute $1 exec_type; - - files_type($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_executable_file'($*)) dnl - ') - - -######################################## -## -## Make general progams in bin an entrypoint for -## the specified domain. -## -## -## -## The domain for which bin_t is an entrypoint. -## -## -# - define(`corecmd_bin_entry_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_bin_entry_type'($*)) dnl - - gen_require(` - type bin_t; - ') - - domain_entry_file($1, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_bin_entry_type'($*)) dnl - ') - - -######################################## -## -## Make the shell an entrypoint for the specified domain. -## -## -## -## The domain for which the shell is an entrypoint. -## -## -# - define(`corecmd_shell_entry_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_shell_entry_type'($*)) dnl - - gen_require(` - type shell_exec_t; - ') - - domain_entry_file($1, shell_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_shell_entry_type'($*)) dnl - ') - - -######################################## -## -## Search the contents of bin directories. -## Also allow to read a possible /bin->/usr/bin symlink. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_search_bin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_search_bin'($*)) dnl - - gen_require(` - type bin_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) - files_search_usr($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_search_bin'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the contents of bin directories. -## -## -## -## Domain to not audit. -## -## -# - define(`corecmd_dontaudit_search_bin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_search_bin'($*)) dnl - - gen_require(` - type bin_t; - ') - - dontaudit $1 bin_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_search_bin'($*)) dnl - ') - - -######################################## -## -## List the contents of bin directories. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_list_bin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_list_bin'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - list_dirs_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_list_bin'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write bin directories. -## -## -## -## Domain to not audit. -## -## -# - define(`corecmd_dontaudit_write_bin_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_bin_dirs'($*)) dnl - - gen_require(` - type bin_t; - ') - - dontaudit $1 bin_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_bin_dirs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of files in bin directories. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_getattr_bin_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_getattr_bin_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - getattr_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_getattr_bin_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of files in bin directories. -## -## -## -## Domain to not audit. -## -## -# - define(`corecmd_dontaudit_getattr_bin_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_getattr_bin_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - dontaudit $1 bin_t:dir search_dir_perms; - dontaudit $1 bin_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_getattr_bin_files'($*)) dnl - ') - - -######################################## -## -## Check if files in bin directories are executable (DAC-wise) -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_check_exec_bin_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_check_exec_bin_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - allow $1 bin_t:dir search_dir_perms; - allow $1 bin_t:file { execute getattr }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_check_exec_bin_files'($*)) dnl - ') - - -######################################## -## -## Read files in bin directories. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_read_bin_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - read_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_read_bin_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write bin files. -## -## -## -## Domain to not audit. -## -## -# - define(`corecmd_dontaudit_write_bin_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_bin_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - dontaudit $1 bin_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_bin_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links in bin directories. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_read_bin_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_symlinks'($*)) dnl - - refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.') - - corecmd_search_bin($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_read_bin_symlinks'($*)) dnl - ') - - -######################################## -## -## Read pipes in bin directories. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_read_bin_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_pipes'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - read_fifo_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_read_bin_pipes'($*)) dnl - ') - - -######################################## -## -## Read named sockets in bin directories. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_read_bin_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_sockets'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - read_sock_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_read_bin_sockets'($*)) dnl - ') - - -######################################## -## -## Execute generic programs in bin directories, -## in the caller domain. -## -## -##

-## Allow the specified domain to execute generic programs -## in system bin directories (/bin, /sbin, /usr/bin, -## /usr/sbin) a without domain transition. -##

-##

-## Typically, this interface should be used when the domain -## executes general system progams within the privileges -## of the source domain. Some examples of these programs -## are ls, cp, sed, python, and tar. This does not include -## shells, such as bash. -##

-##

-## Related interface: -##

-##
    -##
  • corecmd_exec_shell()
    • -##
-## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_exec_bin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_exec_bin'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_list_bin($1) - can_exec($1, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_exec_bin'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete bin files. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_manage_bin_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_manage_bin_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - manage_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_manage_bin_files'($*)) dnl - ') - - -######################################## -## -## Relabel to and from the bin type. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_relabel_bin_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_relabel_bin_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - relabel_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_relabel_bin_files'($*)) dnl - ') - - -######################################## -## -## Mmap a bin file as executable. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_mmap_bin_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_mmap_bin_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - mmap_exec_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_mmap_bin_files'($*)) dnl - ') - - -######################################## -## -## Execute a file in a bin directory -## in the specified domain but do not -## do it automatically. This is an explicit -## transition, requiring the caller to use setexeccon(). -## -## -##

-## Execute a file in a bin directory -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. This is not suggested. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## the userhelper policy. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# - define(`corecmd_bin_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_bin_spec_domtrans'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_search_bin($1) - domain_transition_pattern($1, bin_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_bin_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a file in a bin directory -## in the specified domain. -## -## -##

-## Execute a file in a bin directory -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. This is not suggested. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## the ssh-agent policy. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# - define(`corecmd_bin_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_bin_domtrans'($*)) dnl - - gen_require(` - type bin_t; - ') - - corecmd_bin_spec_domtrans($1, $2) - type_transition $1 bin_t:process $2; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_bin_domtrans'($*)) dnl - ') - - -######################################## -## -## Check if a shell is executable (DAC-wise). -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_check_exec_shell',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_check_exec_shell'($*)) dnl - - gen_require(` - type shell_exec_t; - ') - - corecmd_list_bin($1) - allow $1 shell_exec_t:file execute; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_check_exec_shell'($*)) dnl - ') - - -######################################## -## -## Execute shells in the caller domain. -## -## -##

-## Allow the specified domain to execute shells without -## a domain transition. -##

-##

-## Typically, this interface should be used when the domain -## executes shells within the privileges -## of the source domain. Some examples of these programs -## are bash, tcsh, and zsh. -##

-##

-## Related interface: -##

-##
    -##
  • corecmd_exec_bin()
    • -##
-## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_exec_shell',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_exec_shell'($*)) dnl - - gen_require(` - type shell_exec_t; - ') - - corecmd_list_bin($1) - can_exec($1, shell_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_exec_shell'($*)) dnl - ') - - -######################################## -## -## Execute a shell in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -##

-## Execute a shell in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the shell process. -## -## -# - define(`corecmd_shell_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_shell_spec_domtrans'($*)) dnl - - gen_require(` - type shell_exec_t; - ') - - corecmd_list_bin($1) - domain_transition_pattern($1, shell_exec_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_shell_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a shell in the specified domain. -## -## -##

-## Execute a shell in the specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the shell process. -## -## -# - define(`corecmd_shell_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_shell_domtrans'($*)) dnl - - gen_require(` - type shell_exec_t; - ') - - corecmd_shell_spec_domtrans($1, $2) - type_transition $1 shell_exec_t:process $2; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_shell_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute chroot in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_exec_chroot',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_exec_chroot'($*)) dnl - - gen_require(` - type chroot_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, chroot_exec_t) - allow $1 self:capability sys_chroot; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_exec_chroot'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all executable files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corecmd_getattr_all_executables',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_getattr_all_executables'($*)) dnl - - gen_require(` - attribute exec_type; - type bin_t; - ') - - corecmd_list_bin($1) - getattr_files_pattern($1, bin_t, exec_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_getattr_all_executables'($*)) dnl - ') - - -######################################## -## -## Read all executable files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corecmd_read_all_executables',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_read_all_executables'($*)) dnl - - gen_require(` - attribute exec_type; - ') - - corecmd_search_bin($1) - read_files_pattern($1, exec_type, exec_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_read_all_executables'($*)) dnl - ') - - -######################################## -## -## Execute all executable files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corecmd_exec_all_executables',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_exec_all_executables'($*)) dnl - - gen_require(` - attribute exec_type; - type bin_t; - ') - - corecmd_list_bin($1) - can_exec($1, exec_type) - read_lnk_files_pattern($1, bin_t, exec_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_exec_all_executables'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to execute all executables. -## -## -## -## Domain to not audit. -## -## -# - define(`corecmd_dontaudit_exec_all_executables',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_exec_all_executables'($*)) dnl - - gen_require(` - attribute exec_type; - ') - - dontaudit $1 exec_type:file { execute execute_no_trans }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_exec_all_executables'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and all executable files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corecmd_manage_all_executables',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_manage_all_executables'($*)) dnl - - gen_require(` - attribute exec_type; - type bin_t; - ') - - corecmd_search_bin($1) - manage_files_pattern($1, bin_t, exec_type) - manage_lnk_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_manage_all_executables'($*)) dnl - ') - - -######################################## -## -## Relabel to and from the bin type. -## -## -## -## Domain allowed access. -## -## -## -# - define(`corecmd_relabel_all_executables',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_relabel_all_executables'($*)) dnl - - gen_require(` - attribute exec_type; - type bin_t; - ') - - corecmd_search_bin($1) - relabel_files_pattern($1, bin_t, exec_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_relabel_all_executables'($*)) dnl - ') - - -######################################## -## -## Mmap all executables as executable. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_mmap_all_executables',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_mmap_all_executables'($*)) dnl - - gen_require(` - attribute exec_type; - type bin_t; - ') - - corecmd_search_bin($1) - mmap_exec_files_pattern($1, bin_t, exec_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_mmap_all_executables'($*)) dnl - ') - - -# Now starts gentoo specific but cannot use ifdef_distro gentoo here - -######################################## -## -## Relabel to and from the bin type. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_relabel_bin_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_relabel_bin_dirs'($*)) dnl - - gen_require(` - type bin_t; - ') - - relabel_dirs_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_relabel_bin_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to and from the bin type. -## -## -## -## Domain allowed access. -## -## -# - define(`corecmd_relabel_bin_lnk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corecmd_relabel_bin_lnk_files'($*)) dnl - - gen_require(` - type bin_t; - ') - - relabel_lnk_files_pattern($1, bin_t, bin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corecmd_relabel_bin_lnk_files'($*)) dnl - ') - -## Policy for terminals. -## -## Depended on by other required modules. -## - -######################################## -## -## Transform specified type into a pty type. -## -## -## -## An object type that will applied to a pty. -## -## -# - define(`term_pty',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_pty'($*)) dnl - - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_node($1) - allow $1 devpts_t:filesystem associate; - typeattribute $1 ptynode; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_pty'($*)) dnl - ') - - -######################################## -## -## Transform specified type into an user -## pty type. This allows it to be relabeled via -## type change by login programs such as ssh. -## -## -## -## The type of the user domain associated with -## this pty. -## -## -## -## -## An object type that will applied to a pty. -## -## -# - define(`term_user_pty',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_user_pty'($*)) dnl - - gen_require(` - attribute server_ptynode; - ') - - term_pty($2) - type_change $1 server_ptynode:chr_file $2; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_user_pty'($*)) dnl - ') - - -######################################## -## -## Transform specified type into a pty type -## used by login programs, such as sshd. -## -## -## -## An object type that will applied to a pty. -## -## -# - define(`term_login_pty',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_login_pty'($*)) dnl - - gen_require(` - attribute server_ptynode; - ') - - term_pty($1) - typeattribute $1 server_ptynode; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_login_pty'($*)) dnl - ') - - -######################################## -## -## Transform specified type into a tty type. -## -## -## -## An object type that will applied to a tty. -## -## -# - define(`term_tty',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_tty'($*)) dnl - - gen_require(` - attribute ttynode, serial_device; - ') - - typeattribute $1 ttynode, serial_device; - - dev_node($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_tty'($*)) dnl - ') - - -######################################## -## -## Transform specified type into a user tty type. -## -## -## -## User domain that is related to this tty. -## -## -## -## -## An object type that will applied to a tty. -## -## -# - define(`term_user_tty',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_user_tty'($*)) dnl - - gen_require(` - attribute ttynode; - type console_device_t; - type tty_device_t; - ') - - term_tty($2) - - type_change $1 tty_device_t:chr_file $2; - - # Debian login is from shadow utils and does not allow resetting the perms. - # have to fix this! - ifdef(`distro_debian',` - type_change $1 ttynode:chr_file $2; - ') - - tunable_policy(`console_login',` - # When user logs in from /dev/console, relabel it - # to user tty type as well. - type_change $1 console_device_t:chr_file $2; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_user_tty'($*)) dnl - ') - - -######################################## -## -## mount a devpts_t filesystem -## -## -## -## The type of the process to mount it -## -## -# - define(`term_mount_devpts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_mount_devpts'($*)) dnl - - gen_require(` - type devpts_t; - ') - - allow $1 devpts_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_mount_devpts'($*)) dnl - ') - - -######################################## -## -## Create directory /dev/pts. -## -## -## -## The type of the process creating the directory. -## -## -# - define(`term_create_devpts_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_create_devpts_dirs'($*)) dnl - - gen_require(` - type devpts_t; - ') - - allow $1 devpts_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_create_devpts_dirs'($*)) dnl - ') - - -######################################## -## -## Create a pty in the /dev/pts directory. -## -## -## -## The type of the process creating the pty. -## -## -## -## -## The type of the pty. -## -## -# - define(`term_create_pty',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_create_pty'($*)) dnl - - gen_require(` - type bsdpty_device_t, devpts_t, ptmx_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 ptmx_t:chr_file rw_file_perms; - - allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:filesystem getattr; - dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; - type_transition $1 devpts_t:chr_file $2; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_create_pty'($*)) dnl - ') - - -######################################## -## -## Write the console, all -## ttys and all ptys. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_write_all_terms',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_write_all_terms'($*)) dnl - - gen_require(` - attribute ttynode, ptynode; - type console_device_t, devpts_t, tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file write_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_write_all_terms'($*)) dnl - ') - - -######################################## -## -## Read and write the console, all -## ttys and all ptys. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_use_all_terms',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_all_terms'($*)) dnl - - gen_require(` - attribute ttynode, ptynode; - type console_device_t, devpts_t, tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_all_terms'($*)) dnl - ') - - -######################################## -## -## Write to the console. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_write_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_write_console'($*)) dnl - - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file write_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_write_console'($*)) dnl - ') - - -######################################## -## -## Read from the console. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_read_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_read_console'($*)) dnl - - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file read_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_read_console'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read from the console. -## -## -## -## Domain to not audit. -## -## -## -# - define(`term_dontaudit_read_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_read_console'($*)) dnl - - gen_require(` - type console_device_t; - ') - - dontaudit $1 console_device_t:chr_file read_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_read_console'($*)) dnl - ') - - -######################################## -## -## Read from and write to the console. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_use_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_console'($*)) dnl - - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_console'($*)) dnl - ') - - -######################################## -## -## Do not audit attemtps to read from -## or write to the console. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_use_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_console'($*)) dnl - - gen_require(` - type console_device_t; - ') - - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_use_console'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the console -## device node. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_setattr_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_setattr_console'($*)) dnl - - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_setattr_console'($*)) dnl - ') - - -######################################## -## -## Relabel from and to the console type. -## -## -## -## Domain allowed access. -## -## -# - define(`term_relabel_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_relabel_console'($*)) dnl - - gen_require(` - type console_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 console_device_t:chr_file relabel_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_relabel_console'($*)) dnl - ') - - -######################################## -## -## Create the console device (/dev/console). -## -## -## -## Domain allowed access. -## -## -# - define(`term_create_console_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_create_console_dev'($*)) dnl - - gen_require(` - type console_device_t; - ') - - dev_add_entry_generic_dirs($1) - allow $1 console_device_t:chr_file create; - allow $1 self:capability mknod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_create_console_dev'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a pty filesystem -## -## -## -## Domain allowed access. -## -## -# - define(`term_getattr_pty_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_getattr_pty_fs'($*)) dnl - - gen_require(` - type devpts_t; - ') - - allow $1 devpts_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_getattr_pty_fs'($*)) dnl - ') - - -######################################## -## -## Relabel from and to pty filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`term_relabel_pty_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_relabel_pty_fs'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:filesystem { relabelto relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_relabel_pty_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the -## /dev/pts directory. -## -## -## -## Domain allowed access. -## -## -# - define(`term_getattr_pty_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_getattr_pty_dirs'($*)) dnl - - gen_require(` - type devpts_t; - ') - - allow $1 devpts_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_getattr_pty_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## attributes of the /dev/pts directory. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_getattr_pty_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_pty_dirs'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_pty_dirs'($*)) dnl - ') - - -######################################## -## -## Search the contents of the /dev/pts directory. -## -## -## -## Domain allowed access. -## -## -# - define(`term_search_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_search_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_search_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the -## contents of the /dev/pts directory. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_search_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_search_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dev_dontaudit_list_all_dev_nodes($1) - dontaudit $1 devpts_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_search_ptys'($*)) dnl - ') - - -######################################## -## -## Read the /dev/pts directory to -## list all ptys. -## -## -## -## Domain allowed access. -## -## -# - define(`term_list_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_list_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_list_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the -## /dev/pts directory. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_list_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_list_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:dir { getattr search read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_list_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, read, -## write, or delete the /dev/pts directory. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_manage_pty_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_manage_pty_dirs'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_manage_pty_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel from and to pty directories. -## -## -## -## Domain allowed access. -## -## -# - define(`term_relabel_pty_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_relabel_pty_dirs'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir relabel_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_relabel_pty_dirs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of generic pty devices. -## -## -## -## Domain to allow -## -## -# - define(`term_getattr_generic_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_getattr_generic_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - allow $1 devpts_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_getattr_generic_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of generic pty devices. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_getattr_generic_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_generic_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_generic_ptys'($*)) dnl - ') - -######################################## -## -## ioctl of generic pty devices. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for ppp - define(`term_ioctl_generic_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_ioctl_generic_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir search; - allow $1 devpts_t:chr_file ioctl; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_ioctl_generic_ptys'($*)) dnl - ') - - -######################################## -## -## Allow setting the attributes of -## generic pty devices. -## -## -## -## Domain allowed access. -## -## -# -# dwalsh: added for rhgb - define(`term_setattr_generic_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_setattr_generic_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - allow $1 devpts_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_setattr_generic_ptys'($*)) dnl - ') - - -######################################## -## -## Dontaudit setting the attributes of -## generic pty devices. -## -## -## -## Domain to not audit. -## -## -# -# dwalsh: added for rhgb - define(`term_dontaudit_setattr_generic_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_setattr_generic_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_setattr_generic_ptys'($*)) dnl - ') - - -######################################## -## -## Read and write the generic pty -## type. This is generally only used in -## the targeted policy. -## -## -## -## Domain allowed access. -## -## -# - define(`term_use_generic_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_generic_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 devpts_t:chr_file { rw_term_perms lock append }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_generic_ptys'($*)) dnl - ') - - -######################################## -## -## Dot not audit attempts to read and -## write the generic pty type. This is -## generally only used in the targeted policy. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_use_generic_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_generic_ptys'($*)) dnl - - gen_require(` - type devpts_t; - ') - - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_use_generic_ptys'($*)) dnl - ') - - -####################################### -## -## Set the attributes of the tty device -## -## -## -## Domain allowed access. -## -## -# - define(`term_setattr_controlling_term',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_setattr_controlling_term'($*)) dnl - - gen_require(` - type devtty_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_setattr_controlling_term'($*)) dnl - ') - - -######################################## -## -## Read and write the controlling -## terminal (/dev/tty). -## -## -## -## Domain allowed access. -## -## -# - define(`term_use_controlling_term',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_controlling_term'($*)) dnl - - gen_require(` - type devtty_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devtty_t:chr_file { rw_term_perms lock append }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_controlling_term'($*)) dnl - ') - - -####################################### -## -## Get the attributes of the pty multiplexor (/dev/ptmx). -## -## -## -## Domain to not audit. -## -## -# - define(`term_getattr_ptmx',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_getattr_ptmx'($*)) dnl - - gen_require(` - type ptmx_t; - ') - - allow $1 ptmx_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_getattr_ptmx'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get attributes -## on the pty multiplexor (/dev/ptmx). -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_getattr_ptmx',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_ptmx'($*)) dnl - - gen_require(` - type ptmx_t; - ') - - dontaudit $1 ptmx_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_ptmx'($*)) dnl - ') - - -######################################## -## -## Read and write the pty multiplexor (/dev/ptmx). -## -## -## -## Domain allowed access. -## -## -# - define(`term_use_ptmx',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_ptmx'($*)) dnl - - gen_require(` - type ptmx_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 ptmx_t:chr_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_ptmx'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write the pty multiplexor (/dev/ptmx). -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_use_ptmx',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_ptmx'($*)) dnl - - gen_require(` - type ptmx_t; - ') - - dontaudit $1 ptmx_t:chr_file { getattr read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_use_ptmx'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all -## pty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_getattr_all_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_getattr_all_ptys'($*)) dnl - - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 ptynode:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_getattr_all_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## attributes of any pty -## device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_getattr_all_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_ptys'($*)) dnl - - gen_require(` - attribute ptynode; - ') - - dontaudit $1 ptynode:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_ptys'($*)) dnl - ') - - -######################################## -## -## Set the attributes of all -## pty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_setattr_all_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_setattr_all_ptys'($*)) dnl - - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 ptynode:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_setattr_all_ptys'($*)) dnl - ') - - -######################################## -## -## Relabel to all ptys. -## -## -## -## Domain allowed access. -## -## -# - define(`term_relabelto_all_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_relabelto_all_ptys'($*)) dnl - - gen_require(` - attribute ptynode; - ') - - allow $1 ptynode:chr_file relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_relabelto_all_ptys'($*)) dnl - ') - - -######################################## -## -## Write to all ptys. -## -## -## -## Domain allowed access. -## -## -# - define(`term_write_all_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_write_all_ptys'($*)) dnl - - gen_require(` - attribute ptynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ptynode:chr_file write_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_write_all_ptys'($*)) dnl - ') - - -######################################## -## -## Read and write all ptys. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_use_all_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_all_ptys'($*)) dnl - - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 devpts_t:dir list_dir_perms; - allow $1 ptynode:chr_file { rw_term_perms lock append }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_all_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write any ptys. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_use_all_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_ptys'($*)) dnl - - gen_require(` - attribute ptynode; - ') - - dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_ptys'($*)) dnl - ') - - -######################################## -## -## Relabel from and to all pty device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`term_relabel_all_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_relabel_all_ptys'($*)) dnl - - gen_require(` - attribute ptynode; - type devpts_t; - ') - - dev_list_all_dev_nodes($1) - relabel_chr_files_pattern($1, devpts_t, ptynode) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_relabel_all_ptys'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all unallocated -## tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_getattr_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_getattr_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_getattr_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Setattr and unlink unallocated tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_setattr_unlink_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_setattr_unlink_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file { getattr setattr unlink }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_setattr_unlink_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all unallocated tty device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_getattr_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dontaudit $1 tty_device_t:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Set the attributes of all unallocated -## tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_setattr_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_setattr_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_setattr_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes -## of unallocated tty device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_setattr_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_setattr_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dontaudit $1 tty_device_t:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_setattr_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to ioctl -## unallocated tty device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_ioctl_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_ioctl_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dontaudit $1 tty_device_t:chr_file ioctl; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_ioctl_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Relabel from and to the unallocated -## tty type. -## -## -## -## Domain allowed access. -## -## -# - define(`term_relabel_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_relabel_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file relabel_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_relabel_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Relabel from all user tty types to -## the unallocated tty type. -## -## -## -## Domain allowed access. -## -## -# - define(`term_reset_tty_labels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_reset_tty_labels'($*)) dnl - - gen_require(` - attribute ttynode; - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file relabelfrom; - allow $1 tty_device_t:chr_file relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_reset_tty_labels'($*)) dnl - ') - - -######################################## -## -## Append to unallocated ttys. -## -## -## -## Domain allowed access. -## -## -# - define(`term_append_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_append_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file append_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_append_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Write to unallocated ttys. -## -## -## -## Domain allowed access. -## -## -# - define(`term_write_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_write_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file write_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_write_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Read and write unallocated ttys. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_use_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 tty_device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or -## write unallocated ttys. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_use_unallocated_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_unallocated_ttys'($*)) dnl - - gen_require(` - type tty_device_t; - ') - - dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_use_unallocated_ttys'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_getattr_all_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_getattr_all_ttys'($*)) dnl - - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_getattr_all_ttys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## attributes of any tty device nodes. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_getattr_all_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_ttys'($*)) dnl - - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - dontaudit $1 ttynode:chr_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_ttys'($*)) dnl - ') - - -######################################## -## -## Set the attributes of all tty device nodes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_setattr_all_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_setattr_all_ttys'($*)) dnl - - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_setattr_all_ttys'($*)) dnl - ') - - -######################################## -## -## Relabel from and to all tty device nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`term_relabel_all_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_relabel_all_ttys'($*)) dnl - - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file relabel_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_relabel_all_ttys'($*)) dnl - ') - - -######################################## -## -## Write to all ttys. -## -## -## -## Domain allowed access. -## -## -# - define(`term_write_all_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_write_all_ttys'($*)) dnl - - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file write_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_write_all_ttys'($*)) dnl - ') - - -######################################## -## -## Read and write all ttys. -## -## -## -## Domain allowed access. -## -## -## -# - define(`term_use_all_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_all_ttys'($*)) dnl - - gen_require(` - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_all_ttys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## any ttys. -## -## -## -## Domain to not audit. -## -## -# - define(`term_dontaudit_use_all_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_ttys'($*)) dnl - - gen_require(` - attribute ttynode; - ') - - dontaudit $1 ttynode:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_ttys'($*)) dnl - ') - - -##################################### -## -## Read from and write virtio console. -## -## -## -## Domain allowed access. -## -## -# - define(`term_use_virtio_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `term_use_virtio_console'($*)) dnl - - gen_require(` - type virtio_device_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 virtio_device_t:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `term_use_virtio_console'($*)) dnl - ') - -## Policy for filesystems. -## -## Contains the initial SID for the filesystems. -## - -######################################## -## -## Transform specified type into a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_type'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - typeattribute $1 filesystem_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_type'($*)) dnl - ') - - -######################################## -## -## Transform specified type into a filesystem -## type which does not have extended attribute -## support. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_noxattr_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_noxattr_type'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - fs_type($1) - - typeattribute $1 noxattrfs; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_noxattr_type'($*)) dnl - ') - - -######################################## -## -## Associate the specified file type to persistent -## filesystems with extended attributes. This -## allows a file of this type to be created on -## a filesystem such as ext3, JFS, and XFS. -## -## -## -## The type of the to be associated. -## -## -# - define(`fs_associate',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_associate'($*)) dnl - - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_associate'($*)) dnl - ') - - -######################################## -## -## Associate the specified file type to -## filesystems which lack extended attributes -## support. This allows a file of this type -## to be created on a filesystem such as -## FAT32, and NFS. -## -## -## -## The type of the to be associated. -## -## -# - define(`fs_associate_noxattr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_associate_noxattr'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_associate_noxattr'($*)) dnl - ') - - -######################################## -## -## Execute files on a filesystem that does -## not support extended attributes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_exec_noxattr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_exec_noxattr'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - can_exec($1, noxattrfs) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_exec_noxattr'($*)) dnl - ') - - -######################################## -## -## Transform specified type into a filesystem -## type which has extended attribute -## support. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_xattr_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_xattr_type'($*)) dnl - - gen_require(` - attribute xattrfs; - ') - - fs_type($1) - - typeattribute $1 xattrfs; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_xattr_type'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all the -## filesystems which have extended -## attributes. -## This includes pseudo filesystems. -## -## -##

-## Allow the specified domain to -## get the attributes of a filesystems -## which have extended attributes. -## Example attributes: -##

-##
    -##
  • Type of the file system (e.g., tmpfs)
    • -##
  • Size of the file system
    • -##
  • Available space on the file system
    • -##
-## -## -## -## Domain allowed access. -## -## -## -## -# - define(`fs_getattr_all_xattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_xattr_fs'($*)) dnl - - gen_require(` - attribute xattrfs; - ') - - allow $1 xattrfs:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_xattr_fs'($*)) dnl - ') - - -######################################## -## -## Mount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_xattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_xattr_fs'($*)) dnl - - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_xattr_fs'($*)) dnl - ') - - -######################################## -## -## Remount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_xattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_xattr_fs'($*)) dnl - - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_xattr_fs'($*)) dnl - ') - - -######################################## -## -## Unmount a persistent filesystem which -## has extended attributes, such as -## ext3, JFS, or XFS. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_xattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_xattr_fs'($*)) dnl - - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_xattr_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of persistent -## filesystems which have extended -## attributes, such as ext3, JFS, or XFS. -## -## -##

-## Allow the specified domain to -## get the attributes of a persistent -## filesystems which have extended -## attributes, such as ext3, JFS, or XFS. -## Example attributes: -##

-##
    -##
  • Type of the file system (e.g., ext3)
    • -##
  • Size of the file system
    • -##
  • Available space on the file system
    • -##
-## -## -## -## Domain allowed access. -## -## -## -## -# - define(`fs_getattr_xattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_xattr_fs'($*)) dnl - - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_xattr_fs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to -## get the attributes of a persistent -## filesystem which has extended -## attributes, such as ext3, JFS, or XFS. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_getattr_xattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_xattr_fs'($*)) dnl - - gen_require(` - type fs_t; - ') - - dontaudit $1 fs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_xattr_fs'($*)) dnl - ') - - -######################################## -## -## Allow changing of the label of a -## filesystem with extended attributes -## using the context= mount option. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_xattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_xattr_fs'($*)) dnl - - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_xattr_fs'($*)) dnl - ') - - -######################################## -## -## Get the filesystem quotas of a filesystem -## with extended attributes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_get_xattr_fs_quotas',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_get_xattr_fs_quotas'($*)) dnl - - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem quotaget; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_get_xattr_fs_quotas'($*)) dnl - ') - - -######################################## -## -## Set the filesystem quotas of a filesystem -## with extended attributes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_set_xattr_fs_quotas',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_set_xattr_fs_quotas'($*)) dnl - - gen_require(` - type fs_t; - ') - - allow $1 fs_t:filesystem quotamod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_set_xattr_fs_quotas'($*)) dnl - ') - - -######################################## -## -## Read files on anon_inodefs file systems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_anon_inodefs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_anon_inodefs_files'($*)) dnl - - gen_require(` - type anon_inodefs_t; - - ') - - read_files_pattern($1, anon_inodefs_t, anon_inodefs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_anon_inodefs_files'($*)) dnl - ') - - -######################################## -## -## Read and write files on anon_inodefs -## file systems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_anon_inodefs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_anon_inodefs_files'($*)) dnl - - gen_require(` - type anon_inodefs_t; - - ') - - rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_anon_inodefs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write files on -## anon_inodefs file systems. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_rw_anon_inodefs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_anon_inodefs_files'($*)) dnl - - gen_require(` - type anon_inodefs_t; - - ') - - dontaudit $1 anon_inodefs_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_anon_inodefs_files'($*)) dnl - ') - - -######################################## -## -## Mount an automount pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_autofs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_autofs'($*)) dnl - - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_autofs'($*)) dnl - ') - - -######################################## -## -## Remount an automount pseudo filesystem -## This allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_autofs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_autofs'($*)) dnl - - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_autofs'($*)) dnl - ') - - -######################################## -## -## Unmount an automount pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_autofs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_autofs'($*)) dnl - - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_autofs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of an automount -## pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_autofs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_autofs'($*)) dnl - - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_autofs'($*)) dnl - ') - - -######################################## -## -## Search automount filesystem to use automatically -## mounted filesystems. -## -## -## Allow the specified domain to search mount points -## that have filesystems that are mounted by -## the automount service. Generally this will -## be required for any domain that accesses objects -## on these filesystems. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_search_auto_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_auto_mountpoints'($*)) dnl - - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_auto_mountpoints'($*)) dnl - ') - - -######################################## -## -## Read directories of automatically -## mounted filesystems. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_list_auto_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_auto_mountpoints'($*)) dnl - - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_auto_mountpoints'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list directories of automatically -## mounted filesystems. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_list_auto_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_auto_mountpoints'($*)) dnl - - gen_require(` - type autofs_t; - ') - - dontaudit $1 autofs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_auto_mountpoints'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete symbolic links -## on an autofs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_autofs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_autofs_symlinks'($*)) dnl - - gen_require(` - type autofs_t; - ') - - manage_lnk_files_pattern($1, autofs_t, autofs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_autofs_symlinks'($*)) dnl - ') - - -######################################## -## -## Get the attributes of directories on -## binfmt_misc filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_binfmt_misc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_binfmt_misc_dirs'($*)) dnl - - gen_require(` - type binfmt_misc_fs_t; - ') - - allow $1 binfmt_misc_fs_t:dir getattr; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_binfmt_misc_dirs'($*)) dnl - ') - - -######################################## -## -## Register an interpreter for new binary -## file types, using the kernel binfmt_misc -## support. -## -## -##

-## Register an interpreter for new binary -## file types, using the kernel binfmt_misc -## support. -##

-##

-## A common use for this is to -## register a JVM as an interpreter for -## Java byte code. Registered binaries -## can be directly executed on a command line -## without specifying the interpreter. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_register_binary_executable_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_register_binary_executable_type'($*)) dnl - - gen_require(` - type binfmt_misc_fs_t; - ') - - # binfmt_misc filesystem is usually mounted on /proc/sys/fs/binfmt_misc - kernel_search_fs_sysctls($1) - rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_register_binary_executable_type'($*)) dnl - ') - - -######################################## -## -## Mount cgroup filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_cgroup',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_cgroup'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_cgroup'($*)) dnl - ') - - -######################################## -## -## Remount cgroup filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_cgroup',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_cgroup'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_cgroup'($*)) dnl - ') - - -######################################## -## -## Unmount cgroup filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_cgroup',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_cgroup'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_cgroup'($*)) dnl - ') - - -######################################## -## -## Get attributes of cgroup filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_cgroup',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_cgroup'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_cgroup'($*)) dnl - ') - - -######################################## -## -## Search cgroup directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_cgroup_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_cgroup_dirs'($*)) dnl - - gen_require(` - type cgroup_t; - - ') - - search_dirs_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_cgroup_dirs'($*)) dnl - ') - - -######################################## -## -## list cgroup directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_cgroup_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_cgroup_dirs'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_cgroup_dirs'($*)) dnl - ') - - -######################################## -## -## Delete cgroup directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_delete_cgroup_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_delete_cgroup_dirs'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - delete_dirs_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_delete_cgroup_dirs'($*)) dnl - ') - - -######################################## -## -## Manage cgroup directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_cgroup_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_cgroup_dirs'($*)) dnl - - gen_require(` - type cgroup_t; - - ') - - manage_dirs_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_cgroup_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel cgroup directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabel_cgroup_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabel_cgroup_dirs'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - relabel_dirs_pattern($1, cgroup_t, cgroup_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabel_cgroup_dirs'($*)) dnl - ') - - -######################################## -## -## Get attributes of cgroup files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_cgroup_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_cgroup_files'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - getattr_files_pattern($1, cgroup_t, cgroup_t) - fs_search_tmpfs($1) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_cgroup_files'($*)) dnl - ') - - -######################################## -## -## Read cgroup files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_cgroup_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_cgroup_files'($*)) dnl - - gen_require(` - type cgroup_t; - - ') - - read_files_pattern($1, cgroup_t, cgroup_t) - read_lnk_files_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_cgroup_files'($*)) dnl - ') - - -######################################## -## -## Watch cgroup files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_watch_cgroup_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_watch_cgroup_files'($*)) dnl - - gen_require(` - type cgroup_t; - - ') - - allow $1 cgroup_t:file watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_watch_cgroup_files'($*)) dnl - ') - - -######################################## -## -## Create cgroup lnk_files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_create_cgroup_links',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_create_cgroup_links'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - create_lnk_files_pattern($1, cgroup_t, cgroup_t) - rw_lnk_files_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_create_cgroup_links'($*)) dnl - ') - - -######################################## -## -## Write cgroup files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_write_cgroup_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_write_cgroup_files'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - write_files_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_write_cgroup_files'($*)) dnl - ') - - -######################################## -## -## Read and write cgroup files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_cgroup_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_cgroup_files'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - rw_files_pattern($1, cgroup_t, cgroup_t) - read_lnk_files_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_cgroup_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to open, -## get attributes, read and write -## cgroup files. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_rw_cgroup_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_cgroup_files'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - dontaudit $1 cgroup_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_cgroup_files'($*)) dnl - ') - - -######################################## -## -## Manage cgroup files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_cgroup_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_cgroup_files'($*)) dnl - - gen_require(` - type cgroup_t; - - ') - - manage_files_pattern($1, cgroup_t, cgroup_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_cgroup_files'($*)) dnl - ') - - -######################################## -## -## Relabel cgroup symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabel_cgroup_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabel_cgroup_symlinks'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - relabel_lnk_files_pattern($1, cgroup_t, cgroup_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabel_cgroup_symlinks'($*)) dnl - ') - - -######################################## -## -## Mount on cgroup directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mounton_cgroup',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mounton_cgroup'($*)) dnl - - gen_require(` - type cgroup_t; - ') - - allow $1 cgroup_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mounton_cgroup'($*)) dnl - ') - - -######################################## -## -## Create an object in a cgroup tmpfs filesystem, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`fs_cgroup_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_cgroup_filetrans'($*)) dnl - - gen_require(` - type cgroup_t, tmpfs_t; - ') - - allow $2 tmpfs_t:filesystem associate; - filetrans_pattern($1, cgroup_t, $2, $3, $4) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_cgroup_filetrans'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_list_cifs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_cifs_dirs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_cifs_dirs'($*)) dnl - ') - - -######################################## -## -## Mount a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_cifs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_cifs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_cifs'($*)) dnl - ') - - -######################################## -## -## Remount a CIFS or SMB network filesystem. -## This allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_cifs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_cifs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_cifs'($*)) dnl - ') - - -######################################## -## -## Unmount a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_cifs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_cifs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_cifs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a CIFS or -## SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_getattr_cifs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_cifs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_cifs'($*)) dnl - ') - - -######################################## -## -## Search directories on a CIFS or SMB filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_cifs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_cifs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_cifs'($*)) dnl - ') - - -######################################## -## -## List the contents of directories on a -## CIFS or SMB filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_cifs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_cifs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_cifs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list the contents -## of directories on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_list_cifs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_cifs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_cifs'($*)) dnl - ') - - -######################################## -## -## Mounton a CIFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mounton_cifs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mounton_cifs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mounton_cifs'($*)) dnl - ') - - -######################################## -## -## Read files on a CIFS or SMB filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_read_cifs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_cifs_files'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir list_dir_perms; - read_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_cifs_files'($*)) dnl - ') - - -######################################## -## -## Get the attributes of filesystems that -## do not have extended attribute support. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_getattr_noxattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_noxattr_fs'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_noxattr_fs'($*)) dnl - ') - - -######################################## -## -## Read all noxattrfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_noxattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_noxattr_fs'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_noxattr_fs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list all -## noxattrfs directories. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_list_noxattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_noxattr_fs'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - dontaudit $1 noxattrfs:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_noxattr_fs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete all noxattrfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_noxattr_fs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_dirs'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_dirs'($*)) dnl - ') - - -######################################## -## -## Read all noxattrfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_noxattr_fs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_noxattr_fs_files'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - fs_list_noxattr_fs($1) - read_files_pattern($1, noxattrfs, noxattrfs) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_noxattr_fs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read all -## noxattrfs files. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_read_noxattr_fs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_noxattr_fs_files'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - dontaudit $1 noxattrfs:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_noxattr_fs_files'($*)) dnl - ') - - -######################################## -## -## Dont audit attempts to write to noxattrfs files. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_write_noxattr_fs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_noxattr_fs_files'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - dontaudit $1 noxattrfs:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_noxattr_fs_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete all noxattrfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_noxattr_fs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_files'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - fs_list_noxattr_fs($1) - manage_files_pattern($1, noxattrfs, noxattrfs) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_files'($*)) dnl - ') - - -######################################## -## -## Read all noxattrfs symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_noxattr_fs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_noxattr_fs_symlinks'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - fs_list_noxattr_fs($1) - read_lnk_files_pattern($1, noxattrfs, noxattrfs) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_noxattr_fs_symlinks'($*)) dnl - ') - - -######################################## -## -## Manage all noxattrfs symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_noxattr_fs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_symlinks'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - fs_list_noxattr_fs($1) - manage_lnk_files_pattern($1, noxattrfs, noxattrfs) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_symlinks'($*)) dnl - ') - - -######################################## -## -## Relabel all objets from filesystems that -## do not support extended attributes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_noxattr_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_noxattr_fs'($*)) dnl - - gen_require(` - attribute noxattrfs; - ') - - allow $1 noxattrfs:dir list_dir_perms; - relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs) - relabelfrom_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) - relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_noxattr_fs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read -## files on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_read_cifs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_cifs_files'($*)) dnl - - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_cifs_files'($*)) dnl - ') - - -######################################## -## -## Append files -## on a CIFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_append_cifs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_append_cifs_files'($*)) dnl - - gen_require(` - type cifs_t; - ') - - append_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_append_cifs_files'($*)) dnl - ') - - -######################################## -## -## dontaudit Append files -## on a CIFS filesystem. -## -## -## -## Domain to not audit. -## -## -## -# - define(`fs_dontaudit_append_cifs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_append_cifs_files'($*)) dnl - - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_append_cifs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or -## write files on a CIFS or SMB filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_rw_cifs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_cifs_files'($*)) dnl - - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_cifs_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links on a CIFS or SMB filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_cifs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_cifs_symlinks'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir list_dir_perms; - read_lnk_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_cifs_symlinks'($*)) dnl - ') - - -######################################## -## -## Read named pipes -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_cifs_named_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_cifs_named_pipes'($*)) dnl - - gen_require(` - type cifs_t; - ') - - read_fifo_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_cifs_named_pipes'($*)) dnl - ') - - -######################################## -## -## Read named sockets -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_cifs_named_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_cifs_named_sockets'($*)) dnl - - gen_require(` - type cifs_t; - ') - - read_sock_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_cifs_named_sockets'($*)) dnl - ') - - -######################################## -## -## Execute files on a CIFS or SMB -## network filesystem, in the caller -## domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_exec_cifs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_exec_cifs_files'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir list_dir_perms; - exec_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_exec_cifs_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete directories -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_cifs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_dirs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_cifs_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete directories -## on a CIFS or SMB network filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_manage_cifs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_cifs_dirs'($*)) dnl - - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_cifs_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_cifs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_files'($*)) dnl - - gen_require(` - type cifs_t; - ') - - manage_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_cifs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete files -## on a CIFS or SMB network filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_manage_cifs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_cifs_files'($*)) dnl - - gen_require(` - type cifs_t; - ') - - dontaudit $1 cifs_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_cifs_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete symbolic links -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_cifs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_symlinks'($*)) dnl - - gen_require(` - type cifs_t; - ') - - manage_lnk_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_cifs_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete named pipes -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_cifs_named_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_named_pipes'($*)) dnl - - gen_require(` - type cifs_t; - ') - - manage_fifo_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_cifs_named_pipes'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete named sockets -## on a CIFS or SMB network filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_cifs_named_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_named_sockets'($*)) dnl - - gen_require(` - type cifs_t; - ') - - manage_sock_files_pattern($1, cifs_t, cifs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_cifs_named_sockets'($*)) dnl - ') - - -######################################## -## -## Execute a file on a CIFS or SMB filesystem -## in the specified domain. -## -## -##

-## Execute a file on a CIFS or SMB filesystem -## in the specified domain. This allows -## the specified domain to execute any file -## on these filesystems in the specified -## domain. This is not suggested. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## home directories on CIFS/SMB filesystems, -## in particular used by the ssh-agent policy. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# - define(`fs_cifs_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_cifs_domtrans'($*)) dnl - - gen_require(` - type cifs_t; - ') - - allow $1 cifs_t:dir search_dir_perms; - domain_auto_transition_pattern($1, cifs_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_cifs_domtrans'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete dirs -## on a configfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_configfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_configfs_dirs'($*)) dnl - - gen_require(` - type configfs_t; - ') - - manage_dirs_pattern($1, configfs_t, configfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_configfs_dirs'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete files -## on a configfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_configfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_configfs_files'($*)) dnl - - gen_require(` - type configfs_t; - ') - - manage_files_pattern($1, configfs_t, configfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_configfs_files'($*)) dnl - ') - - -######################################## -## -## Mount a DOS filesystem, such as -## FAT32 or NTFS. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_dos_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_dos_fs'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_dos_fs'($*)) dnl - ') - - -######################################## -## -## Remount a DOS filesystem, such as -## FAT32 or NTFS. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_dos_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_dos_fs'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_dos_fs'($*)) dnl - ') - - -######################################## -## -## Unmount a DOS filesystem, such as -## FAT32 or NTFS. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_dos_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_dos_fs'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_dos_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a DOS -## filesystem, such as FAT32 or NTFS. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_getattr_dos_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_dos_fs'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_dos_fs'($*)) dnl - ') - - -######################################## -## -## Allow changing of the label of a -## DOS filesystem using the context= mount option. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_dos_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_dos_fs'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:filesystem relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_dos_fs'($*)) dnl - ') - - -######################################## -## -## Get attributes of directories on a dosfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_dos_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_dos_dirs'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_dos_dirs'($*)) dnl - ') - - -######################################## -## -## Search dosfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_dos',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_dos'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - allow $1 dosfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_dos'($*)) dnl - ') - - -######################################## -## -## List dirs DOS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_dos',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_dos'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - list_dirs_pattern($1, dosfs_t, dosfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_dos'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete dirs -## on a DOS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_dos_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_dos_dirs'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - manage_dirs_pattern($1, dosfs_t, dosfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_dos_dirs'($*)) dnl - ') - - -######################################## -## -## Read files on a DOS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_dos_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_dos_files'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - read_files_pattern($1, dosfs_t, dosfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_dos_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files -## on a DOS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_dos_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_dos_files'($*)) dnl - - gen_require(` - type dosfs_t; - ') - - manage_files_pattern($1, dosfs_t, dosfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_dos_files'($*)) dnl - ') - - -######################################## -## -## List dirs in efivarfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_efivars',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_efivars'($*)) dnl - - gen_require(` - type efivarfs_t; - ') - - list_dirs_pattern($1, efivarfs_t, efivarfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_efivars'($*)) dnl - ') - - -####################################### -## -## Read files in efivarfs -## - contains Linux Kernel configuration options for UEFI systems -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_read_efivarfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_efivarfs_files'($*)) dnl - - gen_require(` - type efivarfs_t; - ') - - read_files_pattern($1, efivarfs_t, efivarfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_efivarfs_files'($*)) dnl - ') - - -######################################## -## -## stat a FUSE filesystem -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_fusefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_fusefs'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_fusefs'($*)) dnl - ') - - -######################################## -## -## Mount a FUSE filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_fusefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_fusefs'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_fusefs'($*)) dnl - ') - - -######################################## -## -## Unmount a FUSE filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_fusefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_fusefs'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_fusefs'($*)) dnl - ') - - -######################################## -## -## Mounton a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mounton_fusefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mounton_fusefs'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mounton_fusefs'($*)) dnl - ') - - -######################################## -## -## Search directories -## on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_search_fusefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_fusefs'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_fusefs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list the contents -## of directories on a FUSEFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_list_fusefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_fusefs'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - dontaudit $1 fusefs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_fusefs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete directories -## on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_fusefs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_dirs'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete directories -## on a FUSEFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_manage_fusefs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_fusefs_dirs'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - dontaudit $1 fusefs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_fusefs_dirs'($*)) dnl - ') - - -######################################## -## -## Read, a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_read_fusefs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_fusefs_files'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - read_files_pattern($1, fusefs_t, fusefs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_fusefs_files'($*)) dnl - ') - - -######################################## -## -## Execute files on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_exec_fusefs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_exec_fusefs_files'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - exec_files_pattern($1, fusefs_t, fusefs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_exec_fusefs_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files -## on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_fusefs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_files'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - manage_files_pattern($1, fusefs_t, fusefs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_manage_fusefs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_fusefs_files'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - dontaudit $1 fusefs_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_fusefs_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links on a FUSEFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_fusefs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_fusefs_symlinks'($*)) dnl - - gen_require(` - type fusefs_t; - ') - - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_fusefs_symlinks'($*)) dnl - ') - - -######################################## -## -## Get the attributes of an hugetlbfs -## filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_hugetlbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_hugetlbfs'($*)) dnl - - gen_require(` - type hugetlbfs_t; - ') - - allow $1 hugetlbfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_hugetlbfs'($*)) dnl - ') - - -######################################## -## -## List hugetlbfs. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_hugetlbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_hugetlbfs'($*)) dnl - - gen_require(` - type hugetlbfs_t; - ') - - allow $1 hugetlbfs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_hugetlbfs'($*)) dnl - ') - - -######################################## -## -## Manage hugetlbfs dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_hugetlbfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_hugetlbfs_dirs'($*)) dnl - - gen_require(` - type hugetlbfs_t; - ') - - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_hugetlbfs_dirs'($*)) dnl - ') - - -######################################## -## -## Read and write inherited hugetlbfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_inherited_hugetlbfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_hugetlbfs_files'($*)) dnl - - gen_require(` - type hugetlbfs_t; - ') - - allow $1 hugetlbfs_t:file rw_inherited_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_inherited_hugetlbfs_files'($*)) dnl - ') - - -######################################## -## -## Read and write hugetlbfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_hugetlbfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_hugetlbfs_files'($*)) dnl - - gen_require(` - type hugetlbfs_t; - ') - - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_hugetlbfs_files'($*)) dnl - ') - - -######################################## -## -## Read, map and write hugetlbfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mmap_rw_hugetlbfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mmap_rw_hugetlbfs_files'($*)) dnl - - gen_require(` - type hugetlbfs_t; - ') - - fs_rw_hugetlbfs_files($1) - allow $1 hugetlbfs_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mmap_rw_hugetlbfs_files'($*)) dnl - ') - - -######################################## -## -## Allow the type to associate to hugetlbfs filesystems. -## -## -## -## The type of the object to be associated. -## -## -# - define(`fs_associate_hugetlbfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_associate_hugetlbfs'($*)) dnl - - gen_require(` - type hugetlbfs_t; - ') - - allow $1 hugetlbfs_t:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_associate_hugetlbfs'($*)) dnl - ') - - -######################################## -## -## Search inotifyfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_inotifyfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_inotifyfs'($*)) dnl - - gen_require(` - type inotifyfs_t; - ') - - allow $1 inotifyfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_inotifyfs'($*)) dnl - ') - - -######################################## -## -## List inotifyfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_inotifyfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_inotifyfs'($*)) dnl - - gen_require(` - type inotifyfs_t; - ') - - allow $1 inotifyfs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_inotifyfs'($*)) dnl - ') - - -######################################## -## -## Dontaudit List inotifyfs filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_list_inotifyfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_inotifyfs'($*)) dnl - - gen_require(` - type inotifyfs_t; - ') - - dontaudit $1 inotifyfs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_inotifyfs'($*)) dnl - ') - - -######################################## -## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`fs_hugetlbfs_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_hugetlbfs_filetrans'($*)) dnl - - gen_require(` - type hugetlbfs_t; - ') - - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_hugetlbfs_filetrans'($*)) dnl - ') - - -######################################## -## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_iso9660_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_iso9660_fs'($*)) dnl - - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_iso9660_fs'($*)) dnl - ') - - -######################################## -## -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_iso9660_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_iso9660_fs'($*)) dnl - - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_iso9660_fs'($*)) dnl - ') - - -######################################## -## -## Allow changing of the label of a -## filesystem with iso9660 type -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_iso9660_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_iso9660_fs'($*)) dnl - - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_iso9660_fs'($*)) dnl - ') - - -######################################## -## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_iso9660_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_iso9660_fs'($*)) dnl - - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_iso9660_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_getattr_iso9660_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_iso9660_fs'($*)) dnl - - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_iso9660_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of files on an iso9660 -## filesystem, which is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_iso9660_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_iso9660_files'($*)) dnl - - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:dir list_dir_perms; - allow $1 iso9660_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_iso9660_files'($*)) dnl - ') - - -######################################## -## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_iso9660_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_iso9660_files'($*)) dnl - - gen_require(` - type iso9660_t; - ') - - allow $1 iso9660_t:dir list_dir_perms; - read_files_pattern($1, iso9660_t, iso9660_t) - read_lnk_files_pattern($1, iso9660_t, iso9660_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_iso9660_files'($*)) dnl - ') - - -######################################## -## -## Mount a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_nfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_nfs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_nfs'($*)) dnl - ') - - -######################################## -## -## Remount a NFS filesystem. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_nfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_nfs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_nfs'($*)) dnl - ') - - -######################################## -## -## Unmount a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_nfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_nfs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_nfs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_getattr_nfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_nfs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_nfs'($*)) dnl - ') - - -######################################## -## -## Search directories on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_nfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_nfs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_nfs'($*)) dnl - ') - - -######################################## -## -## List NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_nfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_nfs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_nfs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list the contents -## of directories on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_list_nfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_nfs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_nfs'($*)) dnl - ') - - -######################################## -## -## Mounton a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mounton_nfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mounton_nfs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mounton_nfs'($*)) dnl - ') - - -######################################## -## -## Read files on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_read_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - read_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_nfs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read -## files on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_read_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_nfs_files'($*)) dnl - ') - - -######################################## -## -## Read files on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_write_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_write_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - write_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_write_nfs_files'($*)) dnl - ') - - -######################################## -## -## Execute files on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_exec_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_exec_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - exec_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_exec_nfs_files'($*)) dnl - ') - - -######################################## -## -## Append files -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_append_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_append_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - append_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_append_nfs_files'($*)) dnl - ') - - -######################################## -## -## dontaudit Append files -## on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -## -# - define(`fs_dontaudit_append_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_append_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_append_nfs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or -## write files on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_rw_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_nfs_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_nfs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_nfs_symlinks'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir list_dir_perms; - read_lnk_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_nfs_symlinks'($*)) dnl - ') - - -######################################## -## -## Dontaudit read symbolic links on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_read_nfs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_nfs_symlinks'($*)) dnl - - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_nfs_symlinks'($*)) dnl - ') - - -######################################### -## -## Read named sockets on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_nfs_named_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_nfs_named_sockets'($*)) dnl - - gen_require(` - type nfs_t; - ') - - read_sock_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_nfs_named_sockets'($*)) dnl - ') - - -######################################### -## -## Read named pipes on a NFS network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_read_nfs_named_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_nfs_named_pipes'($*)) dnl - - gen_require(` - type nfs_t; - ') - - read_fifo_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_nfs_named_pipes'($*)) dnl - ') - - -######################################## -## -## Get the attributes of directories of RPC -## file system pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_rpc_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_rpc_dirs'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:dir getattr; - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_rpc_dirs'($*)) dnl - ') - - -######################################## -## -## Search directories of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_rpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_rpc'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_rpc'($*)) dnl - ') - - -######################################## -## -## Search removable storage directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_removable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_removable'($*)) dnl - - gen_require(` - type removable_t; - ') - - allow $1 removable_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_removable'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list removable storage directories. -## -## -## -## Domain not to audit. -## -## -# - define(`fs_dontaudit_list_removable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_removable'($*)) dnl - - gen_require(` - type removable_t; - ') - - dontaudit $1 removable_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_removable'($*)) dnl - ') - - -######################################## -## -## Read removable storage files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_removable_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_removable_files'($*)) dnl - - gen_require(` - type removable_t; - ') - - read_files_pattern($1, removable_t, removable_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_removable_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read removable storage files. -## -## -## -## Domain not to audit. -## -## -# - define(`fs_dontaudit_read_removable_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_removable_files'($*)) dnl - - gen_require(` - type removable_t; - ') - - dontaudit $1 removable_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_removable_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write removable storage files. -## -## -## -## Domain not to audit. -## -## -# - define(`fs_dontaudit_write_removable_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_removable_files'($*)) dnl - - gen_require(` - type removable_t; - ') - - dontaudit $1 removable_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_removable_files'($*)) dnl - ') - - -######################################## -## -## Read removable storage symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_removable_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_removable_symlinks'($*)) dnl - - gen_require(` - type removable_t; - ') - - read_lnk_files_pattern($1, removable_t, removable_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_removable_symlinks'($*)) dnl - ') - - -###################################### -## -## Read block nodes on removable filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_removable_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_removable_blk_files'($*)) dnl - - gen_require(` - type removable_t; - ') - - allow $1 removable_t:dir list_dir_perms; - read_blk_files_pattern($1, removable_t, removable_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_removable_blk_files'($*)) dnl - ') - - -######################################## -## -## Read and write block nodes on removable filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_removable_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_removable_blk_files'($*)) dnl - - gen_require(` - type removable_t; - ') - - allow $1 removable_t:dir list_dir_perms; - rw_blk_files_pattern($1, removable_t, removable_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_removable_blk_files'($*)) dnl - ') - - -######################################## -## -## Read directories of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_rpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_rpc'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_rpc'($*)) dnl - ') - - -######################################## -## -## Read files of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_rpc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_rpc_files'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - read_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_rpc_files'($*)) dnl - ') - - -######################################## -## -## Read symbolic links of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_rpc_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_rpc_symlinks'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - read_lnk_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_rpc_symlinks'($*)) dnl - ') - - -######################################## -## -## Read sockets of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_rpc_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_rpc_sockets'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:sock_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_rpc_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write sockets of RPC file system pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_rpc_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_rpc_sockets'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:sock_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_rpc_sockets'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete directories -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_nfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_dirs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_nfs_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete directories -## on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_manage_nfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_nfs_dirs'($*)) dnl - - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_nfs_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - manage_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_nfs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, -## read, write, and delete files -## on a NFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_manage_nfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_nfs_files'($*)) dnl - - gen_require(` - type nfs_t; - ') - - dontaudit $1 nfs_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_nfs_files'($*)) dnl - ') - - -######################################### -## -## Create, read, write, and delete symbolic links -## on a NFS network filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_nfs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_symlinks'($*)) dnl - - gen_require(` - type nfs_t; - ') - - manage_lnk_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_nfs_symlinks'($*)) dnl - ') - - -######################################### -## -## Create, read, write, and delete named pipes -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_nfs_named_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_named_pipes'($*)) dnl - - gen_require(` - type nfs_t; - ') - - manage_fifo_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_nfs_named_pipes'($*)) dnl - ') - - -######################################### -## -## Create, read, write, and delete named sockets -## on a NFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_nfs_named_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_named_sockets'($*)) dnl - - gen_require(` - type nfs_t; - ') - - manage_sock_files_pattern($1, nfs_t, nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_nfs_named_sockets'($*)) dnl - ') - - -######################################## -## -## Execute a file on a NFS filesystem -## in the specified domain. -## -## -##

-## Execute a file on a NFS filesystem -## in the specified domain. This allows -## the specified domain to execute any file -## on a NFS filesystem in the specified -## domain. This is not suggested. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-##

-## This interface was added to handle -## home directories on NFS filesystems, -## in particular used by the ssh-agent policy. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# - define(`fs_nfs_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_nfs_domtrans'($*)) dnl - - gen_require(` - type nfs_t; - ') - - allow $1 nfs_t:dir search_dir_perms; - domain_auto_transition_pattern($1, nfs_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_nfs_domtrans'($*)) dnl - ') - - -######################################## -## -## Mount a NFS server pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_nfsd_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_nfsd_fs'($*)) dnl - - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_nfsd_fs'($*)) dnl - ') - - -######################################## -## -## Mount a NFS server pseudo filesystem. -## This allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_nfsd_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_nfsd_fs'($*)) dnl - - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_nfsd_fs'($*)) dnl - ') - - -######################################## -## -## Unmount a NFS server pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_nfsd_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_nfsd_fs'($*)) dnl - - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_nfsd_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a NFS server -## pseudo filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_nfsd_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_nfsd_fs'($*)) dnl - - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_nfsd_fs'($*)) dnl - ') - - -######################################## -## -## Search NFS server directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_nfsd_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_nfsd_fs'($*)) dnl - - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_nfsd_fs'($*)) dnl - ') - - -######################################## -## -## List NFS server directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_nfsd_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_nfsd_fs'($*)) dnl - - gen_require(` - type nfsd_fs_t; - ') - - allow $1 nfsd_fs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_nfsd_fs'($*)) dnl - ') - - -######################################## -## -## Getattr files on an nfsd filesystem -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_nfsd_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_nfsd_files'($*)) dnl - - gen_require(` - type nfsd_fs_t; - ') - - getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_nfsd_files'($*)) dnl - ') - - -######################################## -## -## Read and write NFS server files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_nfsd_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_nfsd_fs'($*)) dnl - - gen_require(` - type nfsd_fs_t; - ') - - rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_nfsd_fs'($*)) dnl - ') - - -######################################## -## -## Read nsfs inodes (e.g. /proc/pid/ns/uts) -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_nsfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_nsfs_files'($*)) dnl - - gen_require(` - type nsfs_t; - ') - - allow $1 nsfs_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_nsfs_files'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a pstore filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_pstorefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_pstorefs'($*)) dnl - - gen_require(` - type pstore_t; - ') - - allow $1 pstore_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_pstorefs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of directories -## of a pstore filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_pstore_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_pstore_dirs'($*)) dnl - - gen_require(` - type pstore_t; - ') - - getattr_files_pattern($1, pstore_t, pstore_t) - dev_search_sysfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_pstore_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to/from pstore_t directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabel_pstore_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabel_pstore_dirs'($*)) dnl - - gen_require(` - type pstore_t; - ') - - relabel_dirs_pattern($1, pstore_t, pstore_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabel_pstore_dirs'($*)) dnl - ') - - -######################################## -## -## Allow the type to associate to ramfs filesystems. -## -## -## -## The type of the object to be associated. -## -## -# - define(`fs_associate_ramfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_associate_ramfs'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_associate_ramfs'($*)) dnl - ') - - -######################################## -## -## Mount a RAM filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_ramfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_ramfs'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_ramfs'($*)) dnl - ') - - -######################################## -## -## Remount a RAM filesystem. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_ramfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_ramfs'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_ramfs'($*)) dnl - ') - - -######################################## -## -## Unmount a RAM filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_ramfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_ramfs'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_ramfs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a RAM filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_ramfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_ramfs'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_ramfs'($*)) dnl - ') - - -######################################## -## -## Search directories on a ramfs -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_ramfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_ramfs'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_ramfs'($*)) dnl - ') - - -######################################## -## -## Dontaudit Search directories on a ramfs -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_search_ramfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_search_ramfs'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - dontaudit $1 ramfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_search_ramfs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## directories on a ramfs. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_ramfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_dirs'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - allow $1 ramfs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_dirs'($*)) dnl - ') - - -######################################## -## -## Dontaudit read on a ramfs files. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_read_ramfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_ramfs_files'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - dontaudit $1 ramfs_t:file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_ramfs_files'($*)) dnl - ') - - -######################################## -## -## Dontaudit read on a ramfs fifo_files. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_read_ramfs_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_ramfs_pipes'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - dontaudit $1 ramfs_t:fifo_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_ramfs_pipes'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## files on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_ramfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_files'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - manage_files_pattern($1, ramfs_t, ramfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_files'($*)) dnl - ') - - -######################################## -## -## Write to named pipe on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_write_ramfs_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_write_ramfs_pipes'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - write_fifo_files_pattern($1, ramfs_t, ramfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_write_ramfs_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write to named -## pipes on a ramfs filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_write_ramfs_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_ramfs_pipes'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - dontaudit $1 ramfs_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_ramfs_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write a named pipe on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_ramfs_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_ramfs_pipes'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - rw_fifo_files_pattern($1, ramfs_t, ramfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_ramfs_pipes'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## named pipes on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_ramfs_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_pipes'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - manage_fifo_files_pattern($1, ramfs_t, ramfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_pipes'($*)) dnl - ') - - -######################################## -## -## Write to named socket on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_write_ramfs_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_write_ramfs_sockets'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - write_sock_files_pattern($1, ramfs_t, ramfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_write_ramfs_sockets'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## named sockets on a ramfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_ramfs_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_sockets'($*)) dnl - - gen_require(` - type ramfs_t; - ') - - manage_sock_files_pattern($1, ramfs_t, ramfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_sockets'($*)) dnl - ') - - -######################################## -## -## Mount a ROM filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_romfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_romfs'($*)) dnl - - gen_require(` - type romfs_t; - ') - - allow $1 romfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_romfs'($*)) dnl - ') - - -######################################## -## -## Remount a ROM filesystem. This allows -## some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_romfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_romfs'($*)) dnl - - gen_require(` - type romfs_t; - ') - - allow $1 romfs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_romfs'($*)) dnl - ') - - -######################################## -## -## Unmount a ROM filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_romfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_romfs'($*)) dnl - - gen_require(` - type romfs_t; - ') - - allow $1 romfs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_romfs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a ROM -## filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_romfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_romfs'($*)) dnl - - gen_require(` - type romfs_t; - ') - - allow $1 romfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_romfs'($*)) dnl - ') - - -######################################## -## -## Mount a RPC pipe filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_rpc_pipefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_rpc_pipefs'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_rpc_pipefs'($*)) dnl - ') - - -######################################## -## -## Remount a RPC pipe filesystem. This -## allows some mount option to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_rpc_pipefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_rpc_pipefs'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_rpc_pipefs'($*)) dnl - ') - - -######################################## -## -## Unmount a RPC pipe filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_rpc_pipefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_rpc_pipefs'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_rpc_pipefs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a RPC pipe -## filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_rpc_pipefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_rpc_pipefs'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_rpc_pipefs'($*)) dnl - ') - - -######################################### -## -## Read and write RPC pipe filesystem named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_rpc_named_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_rpc_named_pipes'($*)) dnl - - gen_require(` - type rpc_pipefs_t; - ') - - allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_rpc_named_pipes'($*)) dnl - ') - - -######################################## -## -## Mount a tmpfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_tmpfs'($*)) dnl - ') - - -######################################## -## -## Remount a tmpfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_tmpfs'($*)) dnl - ') - - -######################################## -## -## Unmount a tmpfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_tmpfs'($*)) dnl - ') - - -######################################## -## -## Do not audit getting the attributes of a tmpfs filesystem -## -## -## -## Domain to not audit -## -## -# - define(`fs_dontaudit_getattr_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a tmpfs -## filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_getattr_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs'($*)) dnl - ') - - -######################################## -## -## Allow the type to associate to tmpfs filesystems. -## -## -## -## The type of the object to be associated. -## -## -# - define(`fs_associate_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_associate_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem associate; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_associate_tmpfs'($*)) dnl - ') - - -######################################## -## -## Relabel from tmpfs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:filesystem relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_tmpfs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_tmpfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs_dirs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of tmpfs directories. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_getattr_tmpfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs_dirs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs_dirs'($*)) dnl - ') - - -######################################## -## -## Mount on tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mounton_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mounton_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mounton_tmpfs'($*)) dnl - ') - - -######################################## -## -## Mount on tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mounton_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mounton_tmpfs_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:file mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mounton_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Set the attributes of tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_setattr_tmpfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_setattr_tmpfs_dirs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_setattr_tmpfs_dirs'($*)) dnl - ') - - -######################################## -## -## Search tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_tmpfs'($*)) dnl - ') - - -######################################## -## -## List the contents of generic tmpfs directories. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_tmpfs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list the -## contents of generic tmpfs directories. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_list_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_tmpfs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_tmpfs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## tmpfs directories -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_tmpfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_dirs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write -## tmpfs directories -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_write_tmpfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_tmpfs_dirs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_tmpfs_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel from tmpfs_t dir -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_tmpfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_tmpfs_dirs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_tmpfs_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel directory on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabel_tmpfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_dirs'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_dirs'($*)) dnl - ') - - -######################################## -## -## Create an object in a tmpfs filesystem, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`fs_tmpfs_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_tmpfs_filetrans'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $2 tmpfs_t:filesystem associate; - filetrans_pattern($1, tmpfs_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_tmpfs_filetrans'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to getattr -## generic tmpfs files. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_getattr_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## generic tmpfs files. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_rw_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_tmpfs_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Delete tmpfs symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_delete_tmpfs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_delete_tmpfs_symlinks'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:lnk_file delete_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_delete_tmpfs_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## auto moutpoints. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_auto_mountpoints',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_auto_mountpoints'($*)) dnl - - gen_require(` - type autofs_t; - ') - - allow $1 autofs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_auto_mountpoints'($*)) dnl - ') - - -######################################## -## -## Read generic tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_tmpfs_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - read_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Read and write generic tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - rw_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Relabel files on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabel_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - relabel_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Read tmpfs link files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_read_tmpfs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_read_tmpfs_symlinks'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_read_tmpfs_symlinks'($*)) dnl - ') - - -######################################## -## -## Relabelfrom socket files on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_tmpfs_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_tmpfs_sockets'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:sock_file relabelfrom_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_tmpfs_sockets'($*)) dnl - ') - - -######################################## -## -## Relabelfrom tmpfs link files. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_tmpfs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_tmpfs_symlinks'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:lnk_file { getattr relabelfrom }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_tmpfs_symlinks'($*)) dnl - ') - - -######################################## -## -## Read and write character nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_tmpfs_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_chr_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_chr_files'($*)) dnl - ') - - -######################################## -## -## dontaudit Read and write character nodes on tmpfs filesystems. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_use_tmpfs_chr_dev',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_use_tmpfs_chr_dev'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - dontaudit $1 tmpfs_t:dir list_dir_perms; - dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_use_tmpfs_chr_dev'($*)) dnl - ') - - -######################################## -## -## Relabel character nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabel_tmpfs_chr_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_chr_file'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_chr_file'($*)) dnl - ') - - -######################################## -## -## Read and write block nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_rw_tmpfs_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_blk_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_blk_files'($*)) dnl - ') - - -######################################## -## -## Relabel block nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabel_tmpfs_blk_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_blk_file'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; - relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_blk_file'($*)) dnl - ') - - -######################################## -## -## Read and write, create and delete generic -## files on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - manage_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Read and write, create and delete symbolic -## links on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_tmpfs_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_symlinks'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_symlinks'($*)) dnl - ') - - -######################################## -## -## Read and write, create and delete socket -## files on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_tmpfs_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_sockets'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - manage_sock_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write, create and delete character -## nodes on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_tmpfs_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_chr_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - manage_chr_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_chr_files'($*)) dnl - ') - - -######################################## -## -## Read and write, create and delete block nodes -## on tmpfs filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_manage_tmpfs_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_blk_files'($*)) dnl - - gen_require(` - type tmpfs_t; - ') - - manage_blk_files_pattern($1, tmpfs_t, tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_blk_files'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a trace filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_tracefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_tracefs'($*)) dnl - - gen_require(` - type tracefs_t; - ') - - allow $1 tracefs_t:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_tracefs'($*)) dnl - ') - - -######################################## -## -## Get attributes of dirs on tracefs filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_tracefs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_tracefs_dirs'($*)) dnl - - gen_require(` - type tracefs_t; - ') - - allow $1 tracefs_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_tracefs_dirs'($*)) dnl - ') - - -######################################## -## -## search directories on a tracefs filesystem -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_tracefs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_tracefs'($*)) dnl - - gen_require(` - type tracefs_t; - ') - - allow $1 tracefs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_tracefs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of files -## on a trace filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_tracefs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_tracefs_files'($*)) dnl - - gen_require(` - type tracefs_t; - ') - - allow $1 tracefs_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_tracefs_files'($*)) dnl - ') - - -######################################## -## -## Mount a XENFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_xenfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_xenfs'($*)) dnl - - gen_require(` - type xenfs_t; - ') - - allow $1 xenfs_t:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_xenfs'($*)) dnl - ') - - -######################################## -## -## Search the XENFS filesystem. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_xenfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_xenfs'($*)) dnl - - gen_require(` - type xenfs_t; - ') - - allow $1 xenfs_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_xenfs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete directories -## on a XENFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_xenfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_xenfs_dirs'($*)) dnl - - gen_require(` - type xenfs_t; - ') - - allow $1 xenfs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_xenfs_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete directories -## on a XENFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_manage_xenfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_xenfs_dirs'($*)) dnl - - gen_require(` - type xenfs_t; - ') - - dontaudit $1 xenfs_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_xenfs_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files -## on a XENFS filesystem. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_manage_xenfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_manage_xenfs_files'($*)) dnl - - gen_require(` - type xenfs_t; - ') - - manage_files_pattern($1, xenfs_t, xenfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_manage_xenfs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, -## read, write, and delete files -## on a XENFS filesystem. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_manage_xenfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_xenfs_files'($*)) dnl - - gen_require(` - type xenfs_t; - ') - - dontaudit $1 xenfs_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_xenfs_files'($*)) dnl - ') - - -######################################## -## -## Mount all filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_mount_all_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_mount_all_fs'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem mount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_mount_all_fs'($*)) dnl - ') - - -######################################## -## -## Remount all filesystems. This -## allows some mount options to be changed. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_remount_all_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_remount_all_fs'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem remount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_remount_all_fs'($*)) dnl - ') - - -######################################## -## -## Unmount all filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unmount_all_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unmount_all_fs'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem unmount; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unmount_all_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all filesystems. -## -## -##

-## Allow the specified domain to -## get the attributes of all filesystems. -## Example attributes: -##

-##
    -##
  • Type of the file system (e.g., ext3)
    • -##
  • Size of the file system
    • -##
  • Available space on the file system
    • -##
-## -## -## -## Domain allowed access. -## -## -## -## -# - define(`fs_getattr_all_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_fs'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem getattr; - files_getattr_all_file_type_fs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_fs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## all filesystems. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_getattr_all_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_fs'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:filesystem getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_fs'($*)) dnl - ') - - -######################################## -## -## Get the quotas of all filesystems. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_get_all_fs_quotas',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_get_all_fs_quotas'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem quotaget; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_get_all_fs_quotas'($*)) dnl - ') - - -######################################## -## -## Set the quotas of all filesystems. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fs_set_all_quotas',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_set_all_quotas'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem quotamod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_set_all_quotas'($*)) dnl - ') - - -######################################## -## -## Relabelfrom all filesystems. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_relabelfrom_all_fs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_all_fs'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:filesystem relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_relabelfrom_all_fs'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all directories -## with a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_all_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_dirs'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_dirs'($*)) dnl - ') - - -######################################## -## -## Search all directories with a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_search_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_search_all'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_search_all'($*)) dnl - ') - - -######################################## -## -## List all directories with a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_list_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_list_all'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - allow $1 filesystem_type:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_list_all'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all files with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_files'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - getattr_files_pattern($1, filesystem_type, filesystem_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all files with a filesystem type. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_getattr_all_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_files'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_files'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all symbolic links with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_all_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_symlinks'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - getattr_lnk_files_pattern($1, filesystem_type, filesystem_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_symlinks'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all symbolic links with a filesystem type. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_getattr_all_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_symlinks'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:lnk_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_symlinks'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all named pipes with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_all_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_pipes'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - getattr_fifo_files_pattern($1, filesystem_type, filesystem_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all named pipes with a filesystem type. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_getattr_all_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_pipes'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_pipes'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all named sockets with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_all_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_sockets'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - getattr_sock_files_pattern($1, filesystem_type, filesystem_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all named sockets with a filesystem type. -## -## -## -## Domain to not audit. -## -## -# - define(`fs_dontaudit_getattr_all_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_sockets'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - dontaudit $1 filesystem_type:sock_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_sockets'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all block device nodes with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_all_blk_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_blk_files'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - getattr_blk_files_pattern($1, filesystem_type, filesystem_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_blk_files'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all character device nodes with -## a filesystem type. -## -## -## -## Domain allowed access. -## -## -# - define(`fs_getattr_all_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_getattr_all_chr_files'($*)) dnl - - gen_require(` - attribute filesystem_type; - ') - - getattr_chr_files_pattern($1, filesystem_type, filesystem_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_getattr_all_chr_files'($*)) dnl - ') - - -######################################## -## -## Unconfined access to filesystems -## -## -## -## Domain allowed access. -## -## -# - define(`fs_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fs_unconfined'($*)) dnl - - gen_require(` - attribute filesystem_unconfined_type; - ') - - typeattribute $1 filesystem_unconfined_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fs_unconfined'($*)) dnl - ') - -## Multilevel security policy -## -##

-## This module contains interfaces for handling multilevel -## security. The interfaces allow the specified subjects -## and objects to be allowed certain privileges in the -## MLS rules. -##

-## -## -## Contains attributes used in MLS policy. -## - -######################################## -## -## Make specified domain MLS trusted -## for reading from files up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_read_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_read_to_clearance'($*)) dnl - - gen_require(` - attribute mlsfilereadtoclr; - ') - - typeattribute $1 mlsfilereadtoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_read_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from files at all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_read_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_read_all_levels'($*)) dnl - - gen_require(` - attribute mlsfileread; - ') - - typeattribute $1 mlsfileread; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_read_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for write to files up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_write_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_write_to_clearance'($*)) dnl - - gen_require(` - attribute mlsfilewritetoclr; - ') - - typeattribute $1 mlsfilewritetoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_write_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to files at all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_write_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_write_all_levels'($*)) dnl - - gen_require(` - attribute mlsfilewrite; - ') - - typeattribute $1 mlsfilewrite; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_write_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for relabelto to files up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_relabel_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_relabel_to_clearance'($*)) dnl - - gen_require(` - attribute mlsfilerelabeltoclr; - ') - - typeattribute $1 mlsfilerelabeltoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_relabel_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for relabelto to files at all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_relabel',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_relabel'($*)) dnl - - gen_require(` - attribute mlsfilerelabel; - ') - - typeattribute $1 mlsfilerelabel; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_relabel'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for raising the level of files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_upgrade',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_upgrade'($*)) dnl - - gen_require(` - attribute mlsfileupgrade; - ') - - typeattribute $1 mlsfileupgrade; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_upgrade'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for lowering the level of files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_downgrade',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_downgrade'($*)) dnl - - gen_require(` - attribute mlsfiledowngrade; - ') - - typeattribute $1 mlsfiledowngrade; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_downgrade'($*)) dnl - ') - - -######################################## -## -## Make specified domain trusted to -## be written to within its MLS range. -## The subject's MLS range must be a -## proper subset of the object's MLS range. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_file_write_within_range',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_file_write_within_range'($*)) dnl - - gen_require(` - attribute mlsfilewriteinrange; - ') - - typeattribute $1 mlsfilewriteinrange; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_file_write_within_range'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from sockets at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_socket_read_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_socket_read_all_levels'($*)) dnl - - gen_require(` - attribute mlsnetread; - ') - - typeattribute $1 mlsnetread; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_socket_read_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from sockets at any level -## that is dominated by the process clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_socket_read_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_socket_read_to_clearance'($*)) dnl - - gen_require(` - attribute mlsnetreadtoclr; - ') - - typeattribute $1 mlsnetreadtoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_socket_read_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to sockets up to -## its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_socket_write_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_socket_write_to_clearance'($*)) dnl - - gen_require(` - attribute mlsnetwritetoclr; - ') - - typeattribute $1 mlsnetwritetoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_socket_write_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to sockets at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_socket_write_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_socket_write_all_levels'($*)) dnl - - gen_require(` - attribute mlsnetwrite; - ') - - typeattribute $1 mlsnetwrite; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_socket_write_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for receiving network data from -## network interfaces or hosts at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_net_receive_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_net_receive_all_levels'($*)) dnl - - gen_require(` - attribute mlsnetrecvall; - ') - - typeattribute $1 mlsnetrecvall; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_net_receive_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain trusted to -## write to network objects within its MLS range. -## The subject's MLS range must be a -## proper subset of the object's MLS range. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_net_write_within_range',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_net_write_within_range'($*)) dnl - - gen_require(` - attribute mlsnetwriteranged; - ') - - typeattribute $1 mlsnetwriteranged; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_net_write_within_range'($*)) dnl - ') - - -######################################## -## -## Make specified domain trusted to -## write inbound packets regardless of the -## network's or node's MLS range. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_net_inbound_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_net_inbound_all_levels'($*)) dnl - - gen_require(` - attribute mlsnetinbound; - ') - - typeattribute $1 mlsnetinbound; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_net_inbound_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain trusted to -## write outbound packets regardless of the -## network's or node's MLS range. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_net_outbound_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_net_outbound_all_levels'($*)) dnl - - gen_require(` - attribute mlsnetoutbound; - ') - - typeattribute $1 mlsnetoutbound; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_net_outbound_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from System V IPC objects -## up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_sysvipc_read_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_sysvipc_read_to_clearance'($*)) dnl - - gen_require(` - attribute mlsipcreadtoclr; - ') - - typeattribute $1 mlsipcreadtoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_sysvipc_read_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from System V IPC objects -## at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_sysvipc_read_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_sysvipc_read_all_levels'($*)) dnl - - gen_require(` - attribute mlsipcread; - ') - - typeattribute $1 mlsipcread; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_sysvipc_read_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to System V IPC objects -## up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_sysvipc_write_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_sysvipc_write_to_clearance'($*)) dnl - - gen_require(` - attribute mlsipcwritetoclr; - ') - - typeattribute $1 mlsipcwritetoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_sysvipc_write_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to System V IPC objects -## at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_sysvipc_write_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_sysvipc_write_all_levels'($*)) dnl - - gen_require(` - attribute mlsipcwrite; - ') - - typeattribute $1 mlsipcwrite; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_sysvipc_write_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to keys up to -## its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_key_write_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_key_write_to_clearance'($*)) dnl - - gen_require(` - attribute mlskeywritetoclr; - ') - - typeattribute $1 mlskeywritetoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_key_write_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to keys at all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_key_write_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_key_write_all_levels'($*)) dnl - - gen_require(` - attribute mlskeywrite; - ') - - typeattribute $1 mlskeywrite; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_key_write_all_levels'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to do a MLS -## range transition that changes -## the current level. -## -## -## -## Domain allowed access. -## -## -# - define(`mls_rangetrans_source',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_rangetrans_source'($*)) dnl - - gen_require(` - attribute privrangetrans; - ') - - typeattribute $1 privrangetrans; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_rangetrans_source'($*)) dnl - ') - - -######################################## -## -## Make specified domain a target domain -## for MLS range transitions that change -## the current level. -## -## -## -## Domain allowed access. -## -## -# - define(`mls_rangetrans_target',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_rangetrans_target'($*)) dnl - - gen_require(` - attribute mlsrangetrans; - ') - - typeattribute $1 mlsrangetrans; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_rangetrans_target'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from processes up to -## its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_process_read_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_process_read_to_clearance'($*)) dnl - - gen_require(` - attribute mlsprocreadtoclr; - ') - - typeattribute $1 mlsprocreadtoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_process_read_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from processes at all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_process_read_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_process_read_all_levels'($*)) dnl - - gen_require(` - attribute mlsprocread; - ') - - typeattribute $1 mlsprocread; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_process_read_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to processes up to -## its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_process_write_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_process_write_to_clearance'($*)) dnl - - gen_require(` - attribute mlsprocwritetoclr; - ') - - typeattribute $1 mlsprocwritetoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_process_write_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to processes at all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_process_write_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_process_write_all_levels'($*)) dnl - - gen_require(` - attribute mlsprocwrite; - ') - - typeattribute $1 mlsprocwrite; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_process_write_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for setting the level of processes -## it executes. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_process_set_level',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_process_set_level'($*)) dnl - - gen_require(` - attribute mlsprocsetsl; - ') - - typeattribute $1 mlsprocsetsl; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_process_set_level'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from X objects up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_xwin_read_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_xwin_read_to_clearance'($*)) dnl - - gen_require(` - attribute mlsxwinreadtoclr; - ') - - typeattribute $1 mlsxwinreadtoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_xwin_read_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from X objects at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_xwin_read_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_xwin_read_all_levels'($*)) dnl - - gen_require(` - attribute mlsxwinread; - ') - - typeattribute $1 mlsxwinread; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_xwin_read_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for write to X objects up to its clearance. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_xwin_write_to_clearance',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_xwin_write_to_clearance'($*)) dnl - - gen_require(` - attribute mlsxwinwritetoclr; - ') - - typeattribute $1 mlsxwinwritetoclr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_xwin_write_to_clearance'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to X objects at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_xwin_write_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_xwin_write_all_levels'($*)) dnl - - gen_require(` - attribute mlsxwinwrite; - ') - - typeattribute $1 mlsxwinwrite; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_xwin_write_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from X colormaps at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_colormap_read_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_colormap_read_all_levels'($*)) dnl - - gen_require(` - attribute mlsxwinreadcolormap; - ') - - typeattribute $1 mlsxwinreadcolormap; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_colormap_read_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to X colormaps at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_colormap_write_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_colormap_write_all_levels'($*)) dnl - - gen_require(` - attribute mlsxwinwritecolormap; - ') - - typeattribute $1 mlsxwinwritecolormap; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_colormap_write_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified object MLS trusted. -## -## -##

-## Make specified object MLS trusted. This -## allows all levels to read and write the -## object. -##

-##

-## This currently only applies to filesystem -## objects, for example, files and directories. -##

-## -## -## -## The type of the object. -## -## -# - define(`mls_trusted_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_trusted_object'($*)) dnl - - gen_require(` - attribute mlstrustedobject; - ') - - typeattribute $1 mlstrustedobject; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_trusted_object'($*)) dnl - ') - - -######################################## -## -## Make specified socket MLS trusted. -## -## -##

-## Make specified socket MLS trusted. For sockets -## marked as such, this allows all levels to: -## * sendto to unix_dgram_sockets -## * connectto to unix_stream_sockets -## respectively. -##

-## -## -## -## The type of the object. -## -## -# - define(`mls_trusted_socket',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_trusted_socket'($*)) dnl - - gen_require(` - attribute mlstrustedsocket; - ') - - typeattribute $1 mlstrustedsocket; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_trusted_socket'($*)) dnl - ') - - -######################################## -## -## Make the specified domain trusted -## to inherit and use file descriptors -## from all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_fd_use_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_fd_use_all_levels'($*)) dnl - - gen_require(` - attribute mlsfduse; - ') - - typeattribute $1 mlsfduse; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_fd_use_all_levels'($*)) dnl - ') - - -######################################## -## -## Make the file descriptors from the -## specifed domain inheritable by -## all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_fd_share_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_fd_share_all_levels'($*)) dnl - - gen_require(` - attribute mlsfdshare; - ') - - typeattribute $1 mlsfdshare; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_fd_share_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for translating contexts at all levels. (Deprecated) -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_context_translate_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_context_translate_all_levels'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_context_translate_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for reading from databases at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_db_read_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_db_read_all_levels'($*)) dnl - - gen_require(` - attribute mlsdbread; - ') - - typeattribute $1 mlsdbread; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_db_read_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for writing to databases at any level. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_db_write_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_db_write_all_levels'($*)) dnl - - gen_require(` - attribute mlsdbwrite; - ') - - typeattribute $1 mlsdbwrite; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_db_write_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for raising the level of databases. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_db_upgrade',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_db_upgrade'($*)) dnl - - gen_require(` - attribute mlsdbupgrade; - ') - - typeattribute $1 mlsdbupgrade; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_db_upgrade'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for lowering the level of databases. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_db_downgrade',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_db_downgrade'($*)) dnl - - gen_require(` - attribute mlsdbdowngrade; - ') - - typeattribute $1 mlsdbdowngrade; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_db_downgrade'($*)) dnl - ') - -######################################## -## -## Make specified domain MLS trusted -## for sending dbus messages to -## all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_dbus_send_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_dbus_send_all_levels'($*)) dnl - - gen_require(` - attribute mlsdbussend; - ') - - typeattribute $1 mlsdbussend; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_dbus_send_all_levels'($*)) dnl - ') - - -######################################## -## -## Make specified domain MLS trusted -## for receiving dbus messages from -## all levels. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mls_dbus_recv_all_levels',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mls_dbus_recv_all_levels'($*)) dnl - - gen_require(` - attribute mlsdbusrecv; - ') - - typeattribute $1 mlsdbusrecv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mls_dbus_recv_all_levels'($*)) dnl - ') - -## Core policy for domains. -## -## Contains the concept of a domain. -## - -######################################## -## -## Make the specified type usable as a basic domain. -## -## -##

-## Make the specified type usable as a basic domain. -##

-##

-## This is primarily used for kernel threads; -## generally the domain_type() interface is -## more appropriate for userland processes. -##

-## -## -## -## Type to be used as a basic domain type. -## -## -# - define(`domain_base_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_base_type'($*)) dnl - - gen_require(` - attribute domain; - ') - - typeattribute $1 domain; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_base_type'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable as a domain. -## -## -##

-## Make the specified type usable as a domain. This, -## or an interface that calls this interface, must be -## used on all types that are used as domains. -##

-##

-## Related interfaces: -##

-##
    -##
  • application_domain()
    • -##
  • init_daemon_domain()
    • -##
  • init_domaion()
    • -##
  • init_ranged_daemon_domain()
    • -##
  • init_ranged_domain()
    • -##
  • init_ranged_system_domain()
    • -##
  • init_script_domain()
    • -##
  • init_system_domain()
    • -##
-##

-## Example: -##

-##

-## type mydomain_t; -## domain_type(mydomain_t) -## type myfile_t; -## files_type(myfile_t) -## allow mydomain_t myfile_t:file read_file_perms; -##

-## -## -## -## Type to be used as a domain type. -## -## -## -# - define(`domain_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_type'($*)) dnl - - # start with basic domain - domain_base_type($1) - - ifdef(`distro_redhat',` - optional_policy(` - unconfined_use_fds($1) - ') - ') - - # send init a sigchld and signull - optional_policy(` - init_sigchld($1) - init_signull($1) - ') - - # these seem questionable: - - optional_policy(` - rpm_use_fds($1) - rpm_read_pipes($1) - ') - - optional_policy(` - selinux_dontaudit_getattr_fs($1) - selinux_dontaudit_read_fs($1) - ') - - optional_policy(` - seutil_dontaudit_read_config($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_type'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable as -## an entry point for the domain. -## -## -## -## Domain to be entered. -## -## -## -## -## Type of program used for entering -## the domain. -## -## -# - define(`domain_entry_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_entry_file'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - allow $1 $2:file entrypoint; - allow $1 $2:file { mmap_exec_file_perms ioctl lock }; - - typeattribute $2 entry_type; - - corecmd_executable_file($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_entry_file'($*)) dnl - ') - - -######################################## -## -## Make the file descriptors of the specified -## domain for interactive use (widely inheritable) -## -## -## -## Domain allowed access. -## -## -# - define(`domain_interactive_fd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_interactive_fd'($*)) dnl - - gen_require(` - attribute privfd; - ') - - typeattribute $1 privfd; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_interactive_fd'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to perform -## dynamic transitions. -## -## -##

-## Allow the specified domain to perform -## dynamic transitions. -##

-##

-## This violates process tranquility, and it -## is strongly suggested that this not be used. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`domain_dyntrans_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dyntrans_type'($*)) dnl - - gen_require(` - attribute set_curr_context; - ') - - typeattribute $1 set_curr_context; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dyntrans_type'($*)) dnl - ') - - -######################################## -## -## Makes caller and execption to the constraint -## preventing changing to the system user -## identity and system role. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_system_change_exemption',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_system_change_exemption'($*)) dnl - - gen_require(` - attribute can_system_change; - ') - - typeattribute $1 can_system_change; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_system_change_exemption'($*)) dnl - ') - - -######################################## -## -## Makes caller an exception to the constraint preventing -## changing of user identity. -## -## -## -## The process type to make an exception to the constraint. -## -## -# - define(`domain_subj_id_change_exemption',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_subj_id_change_exemption'($*)) dnl - - gen_require(` - attribute can_change_process_identity; - ') - - typeattribute $1 can_change_process_identity; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_subj_id_change_exemption'($*)) dnl - ') - - -######################################## -## -## Makes caller an exception to the constraint preventing -## changing of role. -## -## -## -## The process type to make an exception to the constraint. -## -## -# - define(`domain_role_change_exemption',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_role_change_exemption'($*)) dnl - - gen_require(` - attribute can_change_process_role; - ') - - typeattribute $1 can_change_process_role; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_role_change_exemption'($*)) dnl - ') - - -######################################## -## -## Makes caller an exception to the constraint preventing -## changing the user identity in object contexts. -## -## -## -## The process type to make an exception to the constraint. -## -## -## -# - define(`domain_obj_id_change_exemption',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_obj_id_change_exemption'($*)) dnl - - gen_require(` - attribute can_change_object_identity; - ') - - typeattribute $1 can_change_object_identity; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_obj_id_change_exemption'($*)) dnl - ') - - -######################################## -## -## Make the specified domain the target of -## the user domain exception of the -## SELinux role and identity change -## constraints. -## -## -##

-## Make the specified domain the target of -## the user domain exception of the -## SELinux role and identity change -## constraints. -##

-##

-## This interface is needed to decouple -## the user domains from the base module. -## It should not be used other than on -## user domains. -##

-## -## -## -## Domain target for user exemption. -## -## -# - define(`domain_user_exemption_target',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_user_exemption_target'($*)) dnl - - gen_require(` - attribute process_user_target; - ') - - typeattribute $1 process_user_target; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_user_exemption_target'($*)) dnl - ') - - -######################################## -## -## Make the specified domain the source of -## the cron domain exception of the -## SELinux role and identity change -## constraints. -## -## -##

-## Make the specified domain the source of -## the cron domain exception of the -## SELinux role and identity change -## constraints. -##

-##

-## This interface is needed to decouple -## the cron domains from the base module. -## It should not be used other than on -## cron domains. -##

-## -## -## -## Domain target for user exemption. -## -## -# - define(`domain_cron_exemption_source',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_cron_exemption_source'($*)) dnl - - gen_require(` - attribute cron_source_domain; - ') - - typeattribute $1 cron_source_domain; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_cron_exemption_source'($*)) dnl - ') - - -######################################## -## -## Make the specified domain the target of -## the cron domain exception of the -## SELinux role and identity change -## constraints. -## -## -##

-## Make the specified domain the target of -## the cron domain exception of the -## SELinux role and identity change -## constraints. -##

-##

-## This interface is needed to decouple -## the cron domains from the base module. -## It should not be used other than on -## user cron jobs. -##

-## -## -## -## Domain target for user exemption. -## -## -# - define(`domain_cron_exemption_target',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_cron_exemption_target'($*)) dnl - - gen_require(` - attribute cron_job_domain; - ') - - typeattribute $1 cron_job_domain; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_cron_exemption_target'($*)) dnl - ') - - -######################################## -## -## Inherit and use file descriptors from -## domains with interactive programs. -## -## -##

-## Allow the specified domain to inherit and use file -## descriptors from domains with interactive programs. -## This does not allow access to the objects being referenced -## by the file descriptors. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_use_interactive_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_use_interactive_fds'($*)) dnl - - gen_require(` - attribute privfd; - ') - - allow $1 privfd:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_use_interactive_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit file -## descriptors from domains with interactive -## programs. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_use_interactive_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_use_interactive_fds'($*)) dnl - - gen_require(` - attribute privfd; - ') - - dontaudit $1 privfd:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_use_interactive_fds'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to domains whose file -## discriptors are widely inheritable. -## -## -## -## Domain allowed access. -## -## -# -# cjp: this was added because of newrole - define(`domain_sigchld_interactive_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_sigchld_interactive_fds'($*)) dnl - - gen_require(` - attribute privfd; - ') - - allow $1 privfd:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_sigchld_interactive_fds'($*)) dnl - ') - - -######################################## -## -## Set the nice level of all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_setpriority_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_setpriority_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process setsched; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_setpriority_all_domains'($*)) dnl - ') - - -######################################## -## -## Send general signals to all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_signal_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_signal_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_signal_all_domains'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send general -## signals to all domains. -## -## -## -## Domain to not audit. -## -## -## -# - define(`domain_dontaudit_signal_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_signal_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_signal_all_domains'($*)) dnl - ') - - -######################################## -## -## Send a null signal to all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_signull_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_signull_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_signull_all_domains'($*)) dnl - ') - - -######################################## -## -## Send a stop signal to all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_sigstop_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_sigstop_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process sigstop; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_sigstop_all_domains'($*)) dnl - ') - - -######################################## -## -## Send a child terminated signal to all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_sigchld_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_sigchld_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_sigchld_all_domains'($*)) dnl - ') - - -######################################## -## -## Send a kill signal to all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_kill_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_kill_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process sigkill; - allow $1 self:capability kill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_kill_all_domains'($*)) dnl - ') - - -######################################## -## -## Search the process state directory (/proc/pid) of all domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_search_all_domains_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_search_all_domains_state'($*)) dnl - - gen_require(` - attribute domain; - ') - - kernel_search_proc($1) - allow $1 domain:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_search_all_domains_state'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the process -## state directory (/proc/pid) of all domains. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_search_all_domains_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_search_all_domains_state'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_search_all_domains_state'($*)) dnl - ') - - -######################################## -## -## Read the process state (/proc/pid) of all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_read_all_domains_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_read_all_domains_state'($*)) dnl - - gen_require(` - attribute domain; - ') - - kernel_search_proc($1) - allow $1 domain:dir list_dir_perms; - read_files_pattern($1, domain, domain) - read_lnk_files_pattern($1, domain, domain) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_read_all_domains_state'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all domains of all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_getattr_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getattr_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getattr_all_domains'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_dontaudit_getattr_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_domains'($*)) dnl - ') - - -######################################## -## -## Read the process state (/proc/pid) of all confined domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_read_confined_domains_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_read_confined_domains_state'($*)) dnl - - gen_require(` - attribute domain, unconfined_domain_type; - ') - - kernel_search_proc($1) - allow $1 { domain -unconfined_domain_type }:dir list_dir_perms; - read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) - read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) - - dontaudit $1 unconfined_domain_type:dir search_dir_perms; - dontaudit $1 unconfined_domain_type:file read_file_perms; - dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_read_confined_domains_state'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all confined domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_getattr_confined_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getattr_confined_domains'($*)) dnl - - gen_require(` - attribute domain, unconfined_domain_type; - ') - - allow $1 { domain -unconfined_domain_type }:process getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getattr_confined_domains'($*)) dnl - ') - - -######################################## -## -## Ptrace all domains. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_ptrace_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_ptrace_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process ptrace; - allow domain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_ptrace_all_domains'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to ptrace all domains. -## -## -##

-## Do not audit attempts to ptrace all domains. -##

-##

-## Generally this needs to be suppressed because procps tries to access -## /proc/pid/environ and this now triggers a ptrace check in recent kernels -## (2.4 and 2.6). -##

-## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_ptrace_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_ptrace_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process ptrace; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_ptrace_all_domains'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to ptrace confined domains. -## -## -##

-## Do not audit attempts to ptrace confined domains. -##

-##

-## Generally this needs to be suppressed because procps tries to access -## /proc/pid/environ and this now triggers a ptrace check in recent kernels -## (2.4 and 2.6). -##

-## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_ptrace_confined_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_ptrace_confined_domains'($*)) dnl - - gen_require(` - attribute domain, unconfined_domain_type; - ') - - dontaudit $1 { domain -unconfined_domain_type }:process ptrace; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_ptrace_confined_domains'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the process -## state (/proc/pid) of all domains. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_read_all_domains_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_read_all_domains_state'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:dir list_dir_perms; - dontaudit $1 domain:lnk_file read_lnk_file_perms; - dontaudit $1 domain:file read_file_perms; - - # cjp: these should be removed: - dontaudit $1 domain:sock_file read_sock_file_perms; - dontaudit $1 domain:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_read_all_domains_state'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the process state -## directories of all domains. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_list_all_domains_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_list_all_domains_state'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_list_all_domains_state'($*)) dnl - ') - - -######################################## -## -## Get the session ID of all domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_getsession_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getsession_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process getsession; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getsession_all_domains'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## session ID of all domains. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getsession_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getsession_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process getsession; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getsession_all_domains'($*)) dnl - ') - - -######################################## -## -## Get the process group ID of all domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_getpgid_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getpgid_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process getpgid; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getpgid_all_domains'($*)) dnl - ') - - -######################################## -## -## Get the scheduler information of all domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_getsched_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getsched_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process getsched; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getsched_all_domains'($*)) dnl - ') - - -######################################## -## -## Get the capability information of all domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_getcap_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getcap_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:process getcap; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getcap_all_domains'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all domains -## sockets, for all socket types. -## -## -##

-## Get the attributes of all domains -## sockets, for all socket types. -##

-##

-## This is commonly used for domains -## that can use lsof on all domains. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`domain_getattr_all_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getattr_all_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:socket_class_set getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getattr_all_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains sockets, for all socket types. -## -## -##

-## Do not audit attempts to get the attributes -## of all domains sockets, for all socket types. -##

-##

-## This interface was added for PCMCIA cardmgr -## and is probably excessive. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:socket_class_set getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains TCP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_tcp_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:tcp_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains UDP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_udp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_udp_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:udp_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_udp_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## all domains UDP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_rw_all_udp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_rw_all_udp_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:udp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_rw_all_udp_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get attribues of -## all domains IPSEC key management sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_key_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_key_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:key_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_key_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get attribues of -## all domains packet sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_packet_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_packet_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:packet_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_packet_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get attribues of -## all domains raw sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_raw_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_raw_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:rawip_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_raw_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## all domains key sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_rw_all_key_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_rw_all_key_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:key_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_rw_all_key_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains unix datagram sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_dgram_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_dgram_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:unix_dgram_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_dgram_sockets'($*)) dnl - ') - - -######################################## -## -## Get the attributes -## of all domains unix datagram sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_getattr_all_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getattr_all_stream_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:unix_stream_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getattr_all_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains unix stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_stream_sockets'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:unix_stream_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all domains -## unnamed pipes. -## -## -##

-## Get the attributes of all domains -## unnamed pipes. -##

-##

-## This is commonly used for domains -## that can use lsof on all domains. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`domain_getattr_all_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getattr_all_pipes'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getattr_all_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all domains unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_pipes'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_pipes'($*)) dnl - ') - - -######################################## -## -## Allow specified type to set context of all -## domains IPSEC associations. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_ipsec_setcontext_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_ipsec_setcontext_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - allow $1 domain:association setcontext; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_ipsec_setcontext_all_domains'($*)) dnl - ') - - -######################################## -## -## Get the attributes of entry point -## files for all domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_getattr_all_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_getattr_all_entry_files'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:lnk_file read_lnk_file_perms; - allow $1 entry_type:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_getattr_all_entry_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of all entry point files. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getattr_all_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_entry_files'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - dontaudit $1 entry_type:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_entry_files'($*)) dnl - ') - - -######################################## -## -## Read the entry point files for all domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_read_all_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_read_all_entry_files'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:lnk_file read_lnk_file_perms; - allow $1 entry_type:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_read_all_entry_files'($*)) dnl - ') - - -######################################## -## -## Execute the entry point files for all -## domains in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`domain_exec_all_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_exec_all_entry_files'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - can_exec($1, entry_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_exec_all_entry_files'($*)) dnl - ') - - -######################################## -## -## dontaudit checking for execute on all entry point files -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_exec_all_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_exec_all_entry_files'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - dontaudit $1 entry_type:file exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_exec_all_entry_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete all -## entrypoint files. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`domain_manage_all_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_manage_all_entry_files'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_manage_all_entry_files'($*)) dnl - ') - - -######################################## -## -## Relabel to and from all entry point -## file types. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`domain_relabel_all_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_relabel_all_entry_files'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_relabel_all_entry_files'($*)) dnl - ') - - -######################################## -## -## Mmap all entry point files as executable. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`domain_mmap_all_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_mmap_all_entry_files'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - allow $1 entry_type:file mmap_exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_mmap_all_entry_files'($*)) dnl - ') - - -######################################## -## -## Execute an entry_type in the specified domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the new process. -## -## -# -# cjp: added for userhelper - define(`domain_entry_file_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_entry_file_spec_domtrans'($*)) dnl - - gen_require(` - attribute entry_type; - ') - - domain_transition_pattern($1, entry_type, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_entry_file_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Ability to mmap a low area of the address -## space conditionally, as configured by -## /proc/sys/kernel/mmap_min_addr. -## Preventing such mappings helps protect against -## exploiting null deref bugs in the kernel. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_mmap_low',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_mmap_low'($*)) dnl - - gen_require(` - attribute mmap_low_domain_type; - ') - - typeattribute $1 mmap_low_domain_type; - - tunable_policy(`mmap_low_allowed',` - allow $1 self:memprotect mmap_zero; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_mmap_low'($*)) dnl - ') - - -######################################## -## -## Ability to mmap a low area of the address -## space unconditionally, as configured -## by /proc/sys/kernel/mmap_min_addr. -## Preventing such mappings helps protect against -## exploiting null deref bugs in the kernel. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_mmap_low_uncond',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_mmap_low_uncond'($*)) dnl - - gen_require(` - attribute mmap_low_domain_type; - ') - - typeattribute $1 mmap_low_domain_type; - - allow $1 self:memprotect mmap_zero; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_mmap_low_uncond'($*)) dnl - ') - - -######################################## -## -## Allow specified type to receive labeled -## networking packets from all domains, over -## all protocols (TCP, UDP, etc) -## -## -## -## Domain allowed access. -## -## -# - define(`domain_all_recvfrom_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_all_recvfrom_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - corenet_all_recvfrom_labeled($1, domain) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_all_recvfrom_all_domains'($*)) dnl - ') - - -######################################## -## -## Send generic signals to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_unconfined_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_unconfined_signal'($*)) dnl - - gen_require(` - attribute unconfined_domain_type; - ') - - allow $1 unconfined_domain_type:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_unconfined_signal'($*)) dnl - ') - - -######################################## -## -## Unconfined access to domains. -## -## -## -## Domain allowed access. -## -## -# - define(`domain_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_unconfined'($*)) dnl - - gen_require(` - attribute set_curr_context; - attribute can_change_object_identity; - attribute unconfined_domain_type; - attribute process_uncond_exempt; - ') - - typeattribute $1 unconfined_domain_type; - - # pass constraints - typeattribute $1 can_change_object_identity; - typeattribute $1 set_curr_context; - typeattribute $1 process_uncond_exempt; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_unconfined'($*)) dnl - ') - - -# Gentoo specific stuff, but I cannot use ifdef distro_gentoo in if files - -######################################## -## -## Do not audit getting the scheduler information of all domains. -## -## -## -## Domain to not audit. -## -## -# - define(`domain_dontaudit_getsched_all_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getsched_all_domains'($*)) dnl - - gen_require(` - attribute domain; - ') - - dontaudit $1 domain:process getsched; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `domain_dontaudit_getsched_all_domains'($*)) dnl - ') - -## Least privledge xwindows user role. - -######################################## -## -## Change to the xguest role. -## -## -## -## Role allowed access. -## -## -## -# - define(`xguest_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xguest_role_change'($*)) dnl - - gen_require(` - role xguest_r; - ') - - allow $1 xguest_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xguest_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the xguest role. -## -## -##

-## Change from the xguest role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`xguest_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xguest_role_change_to'($*)) dnl - - gen_require(` - role xguest_r; - ') - - allow xguest_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xguest_role_change_to'($*)) dnl - ') - -## Generic unprivileged user role - -######################################## -## -## Change to the generic user role. -## -## -## -## Role allowed access. -## -## -## -# - define(`unprivuser_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unprivuser_role_change'($*)) dnl - - gen_require(` - role user_r; - ') - - allow $1 user_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unprivuser_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the generic user role. -## -## -##

-## Change from the generic user role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`unprivuser_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unprivuser_role_change_to'($*)) dnl - - gen_require(` - role user_r; - ') - - allow user_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unprivuser_role_change_to'($*)) dnl - ') - -## Web administrator role. - -######################################## -## -## Change to the web administrator role. -## -## -## -## Role allowed access. -## -## -## -# - define(`webadm_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `webadm_role_change'($*)) dnl - - gen_require(` - role webadm_r; - ') - - allow $1 webadm_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `webadm_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the web administrator role. -## -## -##

-## Change from the web administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`webadm_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `webadm_role_change_to'($*)) dnl - - gen_require(` - role webadm_r; - ') - - allow webadm_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `webadm_role_change_to'($*)) dnl - ') - -## General system administration role - -######################################## -## -## Change to the system administrator role. -## -## -## -## Role allowed access. -## -## -## -# - define(`sysadm_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_role_change'($*)) dnl - - gen_require(` - role sysadm_r; - ') - - allow $1 sysadm_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the system administrator role. -## -## -##

-## Change from the system administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`sysadm_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_role_change_to'($*)) dnl - - gen_require(` - role sysadm_r; - ') - - allow sysadm_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_role_change_to'($*)) dnl - ') - - -######################################## -## -## Execute a shell in the sysadm domain. -## -## -## -## Domain allowed access. -## -## -# - define(`sysadm_shell_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_shell_domtrans'($*)) dnl - - gen_require(` - type sysadm_t; - ') - - corecmd_shell_domtrans($1, sysadm_t) - allow sysadm_t $1:fd use; - allow sysadm_t $1:fifo_file rw_file_perms; - allow sysadm_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_shell_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a generic bin program in the sysadm domain. -## -## -## -## Domain allowed access. -## -## -# - define(`sysadm_bin_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_bin_spec_domtrans'($*)) dnl - - gen_require(` - type sysadm_t; - ') - - corecmd_bin_spec_domtrans($1, sysadm_t) - allow sysadm_t $1:fd use; - allow sysadm_t $1:fifo_file rw_file_perms; - allow sysadm_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_bin_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute all entrypoint files in the sysadm domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# - define(`sysadm_entry_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_entry_spec_domtrans'($*)) dnl - - gen_require(` - type sysadm_t; - ') - - domain_entry_file_spec_domtrans($1, sysadm_t) - allow sysadm_t $1:fd use; - allow sysadm_t $1:fifo_file rw_file_perms; - allow sysadm_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_entry_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Allow sysadm to execute all entrypoint files in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). -## -## -##

-## Allow sysadm to execute all entrypoint files in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`sysadm_entry_spec_domtrans_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_entry_spec_domtrans_to'($*)) dnl - - gen_require(` - type sysadm_t; - ') - - domain_entry_file_spec_domtrans(sysadm_t, $1) - allow $1 sysadm_t:fd use; - allow $1 sysadm_t:fifo_file rw_file_perms; - allow $1 sysadm_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_entry_spec_domtrans_to'($*)) dnl - ') - - -######################################## -## -## Allow sysadm to execute a generic bin program in -## a specified domain. This is an explicit transition, -## requiring the caller to use setexeccon(). -## -## -##

-## Allow sysadm to execute a generic bin program in -## a specified domain. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Domain to execute in. -## -## -# - define(`sysadm_bin_spec_domtrans_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_bin_spec_domtrans_to'($*)) dnl - - gen_require(` - type sysadm_t; - ') - - corecmd_bin_spec_domtrans(sysadm_t, $1) - allow $1 sysadm_t:fd use; - allow $1 sysadm_t:fifo_file rw_file_perms; - allow $1 sysadm_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_bin_spec_domtrans_to'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to sysadm users. -## -## -## -## Domain allowed access. -## -## -# - define(`sysadm_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_sigchld'($*)) dnl - - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_sigchld'($*)) dnl - ') - - -######################################## -## -## Inherit and use sysadm file descriptors -## -## -## -## Domain allowed access. -## -## -# - define(`sysadm_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_use_fds'($*)) dnl - - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_use_fds'($*)) dnl - ') - - -######################################## -## -## Read and write sysadm user unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`sysadm_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysadm_rw_pipes'($*)) dnl - - gen_require(` - type sysadm_t; - ') - - allow $1 sysadm_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysadm_rw_pipes'($*)) dnl - ') - -## Administrator's unprivileged user role - -######################################## -## -## Change to the staff role. -## -## -## -## Role allowed access. -## -## -## -# - define(`staff_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `staff_role_change'($*)) dnl - - gen_require(` - role staff_r; - ') - - allow $1 staff_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `staff_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the staff role. -## -## -##

-## Change from the staff role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`staff_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `staff_role_change_to'($*)) dnl - - gen_require(` - role staff_r; - ') - - allow staff_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `staff_role_change_to'($*)) dnl - ') - -## Least privledge terminal user role. - -######################################## -## -## Change to the guest role. -## -## -## -## Role allowed access. -## -## -## -# - define(`guest_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `guest_role_change'($*)) dnl - - gen_require(` - role guest_r; - ') - - allow $1 guest_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `guest_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the guest role. -## -## -##

-## Change from the guest role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`guest_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `guest_role_change_to'($*)) dnl - - gen_require(` - role guest_r; - ') - - allow guest_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `guest_role_change_to'($*)) dnl - ') - -## Log administrator role - -######################################## -## -## Change to the log administrator role. -## -## -## -## Role allowed access. -## -## -## -# - define(`logadm_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logadm_role_change'($*)) dnl - - gen_require(` - role logadm_r; - ') - - allow $1 logadm_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logadm_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the log administrator role. -## -## -##

-## Change from the log administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`logadm_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logadm_role_change_to'($*)) dnl - - gen_require(` - role logadm_r; - ') - - allow logadm_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logadm_role_change_to'($*)) dnl - ') - -## Audit administrator role - -######################################## -## -## Change to the audit administrator role. -## -## -## -## Role allowed access. -## -## -## -# - define(`auditadm_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auditadm_role_change'($*)) dnl - - gen_require(` - role auditadm_r; - ') - - allow $1 auditadm_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auditadm_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the audit administrator role. -## -## -##

-## Change from the audit administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`auditadm_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auditadm_role_change_to'($*)) dnl - - gen_require(` - role auditadm_r; - ') - - allow auditadm_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auditadm_role_change_to'($*)) dnl - ') - -## Database administrator role. - -######################################## -## -## Change to the database administrator role. -## -## -## -## Role allowed access. -## -## -## -# - define(`dbadm_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbadm_role_change'($*)) dnl - - gen_require(` - role dbadm_r; - ') - - allow $1 dbadm_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbadm_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the database administrator role. -## -## -##

-## Change from the database administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`dbadm_role_change_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbadm_role_change_to'($*)) dnl - - gen_require(` - role dbadm_r; - ') - - allow dbadm_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbadm_role_change_to'($*)) dnl - ') - -## Security administrator role - -######################################## -## -## Change to the security administrator role. -## -## -## -## Role allowed access. -## -## -## -# - define(`secadm_role_change',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `secadm_role_change'($*)) dnl - - gen_require(` - role secadm_r; - ') - - allow $1 secadm_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `secadm_role_change'($*)) dnl - ') - - -######################################## -## -## Change from the security administrator role. -## -## -##

-## Change from the security administrator role to -## the specified role. -##

-##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Role allowed access. -## -## -## -# - define(`secadm_role_change_to_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `secadm_role_change_to_template'($*)) dnl - - gen_require(` - role secadm_r; - ') - - allow secadm_r $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `secadm_role_change_to_template'($*)) dnl - ') - - -## Bluetooth tools and system services. - -######################################## -## -## Role access for bluetooth. -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`bluetooth_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bluetooth_role'($*)) dnl - - gen_require(` - attribute_role bluetooth_helper_roles; - type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t; - type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_runtime_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 bluetooth_helper_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) - - ps_process_pattern($2, bluetooth_helper_t) - allow $2 bluetooth_helper_t:process { ptrace signal_perms }; - - allow $2 bluetooth_t:socket rw_socket_perms; - - allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - stream_connect_pattern($2, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) - files_search_pids($2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bluetooth_role'($*)) dnl - ') - - -##################################### -## -## Connect to bluetooth over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`bluetooth_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bluetooth_stream_connect'($*)) dnl - - gen_require(` - type bluetooth_t, bluetooth_runtime_t; - ') - - files_search_pids($1) - allow $1 bluetooth_t:socket rw_socket_perms; - stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bluetooth_stream_connect'($*)) dnl - ') - - -######################################## -## -## Execute bluetooth in the bluetooth domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`bluetooth_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bluetooth_domtrans'($*)) dnl - - gen_require(` - type bluetooth_t, bluetooth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bluetooth_domtrans'($*)) dnl - ') - - -######################################## -## -## Read bluetooth configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`bluetooth_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bluetooth_read_config'($*)) dnl - - gen_require(` - type bluetooth_conf_t; - ') - - allow $1 bluetooth_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bluetooth_read_config'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## bluetooth over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`bluetooth_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bluetooth_dbus_chat'($*)) dnl - - gen_require(` - type bluetooth_t; - class dbus send_msg; - ') - - allow $1 bluetooth_t:dbus send_msg; - allow bluetooth_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bluetooth_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read -## bluetooth process state files. -## -## -## -## Domain to not audit. -## -## -# - define(`bluetooth_dontaudit_read_helper_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bluetooth_dontaudit_read_helper_state'($*)) dnl - - gen_require(` - type bluetooth_helper_t; - ') - - dontaudit $1 bluetooth_helper_t:dir search_dir_perms; - dontaudit $1 bluetooth_helper_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bluetooth_dontaudit_read_helper_state'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an bluetooth environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bluetooth_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bluetooth_admin'($*)) dnl - - gen_require(` - type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_var_lib_t, bluetooth_runtime_t; - type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; - type bluetooth_initrc_exec_t; - ') - - allow $1 bluetooth_t:process { ptrace signal_perms }; - ps_process_pattern($1, bluetooth_t) - - init_startstop_service($1, $2, bluetooth_t, bluetooth_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, bluetooth_tmp_t) - - files_list_var($1) - admin_pattern($1, bluetooth_lock_t) - - files_list_etc($1) - admin_pattern($1, { bluetooth_conf_t bluetooth_conf_rw_t }) - - files_list_var_lib($1) - admin_pattern($1, bluetooth_var_lib_t) - - files_list_pids($1) - admin_pattern($1, bluetooth_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bluetooth_admin'($*)) dnl - ') - -## Trivial file transfer protocol daemon. - -######################################## -## -## Read tftp content files. -## -## -## -## Domain allowed access. -## -## -# - define(`tftp_read_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tftp_read_content'($*)) dnl - - gen_require(` - type tftpdir_t; - ') - - files_search_var_lib($1) - allow $1 tftpdir_t:dir list_dir_perms; - allow $1 tftpdir_t:file read_file_perms; - allow $1 tftpdir_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tftp_read_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## tftp rw content. -## -## -## -## Domain allowed access. -## -## -# - define(`tftp_manage_rw_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tftp_manage_rw_content'($*)) dnl - - gen_require(` - type tftpdir_rw_t; - ') - - files_search_var_lib($1) - allow $1 tftpdir_rw_t:dir manage_dir_perms; - allow $1 tftpdir_rw_t:file manage_file_perms; - allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tftp_manage_rw_content'($*)) dnl - ') - - -######################################## -## -## Read tftpd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`tftp_read_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tftp_read_config_files'($*)) dnl - - gen_require(` - type tftpd_conf_t; - ') - - files_search_etc($1) - allow $1 tftpd_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tftp_read_config_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## tftpd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`tftp_manage_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tftp_manage_config_files'($*)) dnl - - gen_require(` - type tftpd_conf_t; - ') - - files_search_etc($1) - allow $1 tftpd_conf_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tftp_manage_config_files'($*)) dnl - ') - - -######################################## -## -## Create objects in etc directories -## with tftp conf type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`tftp_etc_filetrans_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tftp_etc_filetrans_config'($*)) dnl - - gen_require(` - type tftpd_conf_t; - ') - - files_etc_filetrans($1, tftpd_conf_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tftp_etc_filetrans_config'($*)) dnl - ') - - -######################################## -## -## Create objects in tftpdir directories -## with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`tftp_filetrans_tftpdir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tftp_filetrans_tftpdir'($*)) dnl - - gen_require(` - type tftpdir_rw_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tftp_filetrans_tftpdir'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an tftp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tftp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tftp_admin'($*)) dnl - - gen_require(` - type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_runtime_t; - type tftpd_conf_t; - ') - - allow $1 tftpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tftpd_t) - - files_search_etc($1) - admin_pattern($1, tftpd_conf_t) - - files_search_var_lib($1) - admin_pattern($1, { tftpdir_t tftpdir_rw_t }) - - files_list_pids($1) - admin_pattern($1, tftpd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tftp_admin'($*)) dnl - ') - -## Trusted Platform Module 2.0 - -######################################## -## -## Allow specified domain to enable/disable tpm2-abrmd unit -## -## -## -## Domain allowed access. -## -## -# - define(`tpm2_enabledisable_abrmd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tpm2_enabledisable_abrmd'($*)) dnl - - gen_require(` - type tpm2_abrmd_unit_t; - class service { enable disable }; - ') - - allow $1 tpm2_abrmd_unit_t:service { enable disable }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tpm2_enabledisable_abrmd'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to start/stop tpm2-abrmd unit -## -## -## -## Domain allowed access. -## -## -# - define(`tpm2_startstop_abrmd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tpm2_startstop_abrmd'($*)) dnl - - gen_require(` - type tpm2_abrmd_unit_t; - class service { start stop }; - ') - - allow $1 tpm2_abrmd_unit_t:service { start stop }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tpm2_startstop_abrmd'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get status of tpm2-abrmd unit -## -## -## -## Domain allowed access. -## -## -# - define(`tpm2_status_abrmd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tpm2_status_abrmd'($*)) dnl - - gen_require(` - type tpm2_abrmd_unit_t; - class service status; - ') - - allow $1 tpm2_abrmd_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tpm2_status_abrmd'($*)) dnl - ') - -## ShoutCast compatible streaming media server. - -######################################## -## -## Execute a domain transition to run icecast. -## -## -## -## Domain allowed to transition. -## -## -# - define(`icecast_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_domtrans'($*)) dnl - - gen_require(` - type icecast_t, icecast_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, icecast_exec_t, icecast_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_domtrans'($*)) dnl - ') - - -######################################## -## -## Send generic signals to icecast. -## -## -## -## Domain allowed access. -## -## -# - define(`icecast_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_signal'($*)) dnl - - gen_require(` - type icecast_t; - ') - - allow $1 icecast_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_signal'($*)) dnl - ') - - -######################################## -## -## Execute icecast server in the icecast domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`icecast_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_initrc_domtrans'($*)) dnl - - gen_require(` - type icecast_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, icecast_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read icecast pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`icecast_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_read_pid_files'($*)) dnl - - gen_require(` - type icecast_runtime_t; - ') - - files_search_pids($1) - allow $1 icecast_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## icecast pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`icecast_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_manage_pid_files'($*)) dnl - - gen_require(` - type icecast_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, icecast_runtime_t, icecast_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Read icecast log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`icecast_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_read_log'($*)) dnl - - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, icecast_log_t, icecast_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_read_log'($*)) dnl - ') - - -######################################## -## -## Append icecast log files. -## -## -## -## Domain allowed access. -## -## -# - define(`icecast_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_append_log'($*)) dnl - - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, icecast_log_t, icecast_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## icecast log files. -## -## -## -## Domain allow access. -## -## -# - define(`icecast_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_manage_log'($*)) dnl - - gen_require(` - type icecast_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, icecast_log_t, icecast_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_manage_log'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an icecast environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`icecast_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `icecast_admin'($*)) dnl - - gen_require(` - type icecast_t, icecast_initrc_exec_t, icecast_log_t; - type icecast_runtime_t; - ') - - init_startstop_service($1, $2, icecast_t, icecast_initrc_exec_t) - - allow $1 icecast_t:process { ptrace signal_perms }; - ps_process_pattern($1, icecast_t) - - logging_search_logs($1) - admin_pattern($1, icecast_log_t) - - files_search_pids($1) - admin_pattern($1, icecast_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `icecast_admin'($*)) dnl - ') - -## UUID generation daemon. - -######################################## -## -## Execute uuidd in the uuidd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`uuidd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_domtrans'($*)) dnl - - gen_require(` - type uuidd_t, uuidd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, uuidd_exec_t, uuidd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute uuidd init scripts in -## the initrc domain. -## -## -## -## Domain allowed access. -## -## -# - define(`uuidd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_initrc_domtrans'($*)) dnl - - gen_require(` - type uuidd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, uuidd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Search uuidd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`uuidd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_search_lib'($*)) dnl - - gen_require(` - type uuidd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 uuidd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_search_lib'($*)) dnl - ') - - -######################################## -## -## Read uuidd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`uuidd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_read_lib_files'($*)) dnl - - gen_require(` - type uuidd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## uuidd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`uuidd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_manage_lib_files'($*)) dnl - - gen_require(` - type uuidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## uuidd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`uuidd_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_manage_lib_dirs'($*)) dnl - - gen_require(` - type uuidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Read uuidd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`uuidd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_read_pid_files'($*)) dnl - - gen_require(` - type uuidd_runtime_t; - ') - - files_search_pids($1) - allow $1 uuidd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to uuidd with an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`uuidd_stream_connect_manager',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_stream_connect_manager'($*)) dnl - - gen_require(` - type uuidd_t, uuidd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, uuidd_runtime_t, uuidd_runtime_t, uuidd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_stream_connect_manager'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an uuidd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`uuidd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uuidd_admin'($*)) dnl - - gen_require(` - type uuidd_t, uuidd_initrc_exec_t; - type uuidd_runtime_t, uuidd_var_lib_t; - ') - - allow $1 uuidd_t:process signal_perms; - ps_process_pattern($1, uuidd_t) - - init_startstop_service($1, $2, uuidd_t, uuidd_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, uuidd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, uuidd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uuidd_admin'($*)) dnl - ') - -## Cyrus is an IMAP service intended to be run on sealed servers. - -######################################## -## -## Create, read, write, and delete -## cyrus data files. -## -## -## -## Domain allowed access. -## -## -# - define(`cyrus_manage_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cyrus_manage_data'($*)) dnl - - gen_require(` - type cyrus_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cyrus_manage_data'($*)) dnl - ') - - -######################################## -## -## Connect to Cyrus using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`cyrus_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cyrus_stream_connect'($*)) dnl - - gen_require(` - type cyrus_t, cyrus_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cyrus_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an cyrus environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cyrus_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cyrus_admin'($*)) dnl - - gen_require(` - type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; - type cyrus_runtime_t, cyrus_initrc_exec_t; - type cyrus_keytab_t; - ') - - allow $1 cyrus_t:process { ptrace signal_perms }; - ps_process_pattern($1, cyrus_t) - - init_startstop_service($1, $2, cyrus_t, cyrus_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, cyrus_keytab_t) - - files_list_tmp($1) - admin_pattern($1, cyrus_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, cyrus_var_lib_t) - - files_list_pids($1) - admin_pattern($1, cyrus_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cyrus_admin'($*)) dnl - ') - -## Portable Transparent Proxy Solution. - -######################################## -## -## All of the rules required to -## administrate an transproxy environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`transproxy_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `transproxy_admin'($*)) dnl - - gen_require(` - type transproxy_t, transproxy_initrc_exec_t, transproxy_runtime_t; - ') - - allow $1 transproxy_t:process { ptrace signal_perms }; - ps_process_pattern($1, transproxy_t) - - init_startstop_service($1, $2, transproxy_t, transproxy_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, transproxy_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `transproxy_admin'($*)) dnl - ') - -## SSH dictionary attack mitigation. - -######################################## -## -## Execute a domain transition to run denyhosts. -## -## -## -## Domain allowed to transition. -## -## -# - define(`denyhosts_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `denyhosts_domtrans'($*)) dnl - - gen_require(` - type denyhosts_t, denyhosts_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `denyhosts_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute denyhost server in the -## denyhost domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`denyhosts_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `denyhosts_initrc_domtrans'($*)) dnl - - gen_require(` - type denyhosts_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `denyhosts_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an denyhosts environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# - define(`denyhosts_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `denyhosts_admin'($*)) dnl - - gen_require(` - type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; - type denyhosts_var_log_t, denyhosts_initrc_exec_t; - ') - - allow $1 denyhosts_t:process { ptrace signal_perms }; - ps_process_pattern($1, denyhosts_t) - - init_startstop_service($1, $2, denyhosts_t, denyhosts_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, denyhosts_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, denyhosts_var_log_t) - - files_search_locks($1) - admin_pattern($1, denyhosts_var_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `denyhosts_admin'($*)) dnl - ') - -## UNIX Client-Server Program Interface for TCP. - -######################################## -## -## Define a specified domain as a ucspitcp service. -## -## -## -## Domain allowed access. -## -## -## -## -## The type associated with the process program. -## -## -# - define(`ucspitcp_service_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ucspitcp_service_domain'($*)) dnl - - gen_require(` - type ucspitcp_t; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(ucspitcp_t, $2, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ucspitcp_service_domain'($*)) dnl - ') - -## Universal Addresses to RPC Program Number Mapper. - -######################################## -## -## Execute a domain transition to run rpcbind. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rpcbind_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpcbind_domtrans'($*)) dnl - - gen_require(` - type rpcbind_t, rpcbind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpcbind_domtrans'($*)) dnl - ') - - -######################################## -## -## Connect to rpcbind with a -## unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rpcbind_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpcbind_stream_connect'($*)) dnl - - gen_require(` - type rpcbind_t, rpcbind_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rpcbind_runtime_t, rpcbind_runtime_t, rpcbind_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpcbind_stream_connect'($*)) dnl - ') - - -######################################## -## -## Read rpcbind pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpcbind_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpcbind_read_pid_files'($*)) dnl - - gen_require(` - type rpcbind_runtime_t; - ') - - files_search_pids($1) - allow $1 rpcbind_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpcbind_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Search rpcbind lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`rpcbind_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpcbind_search_lib'($*)) dnl - - gen_require(` - type rpcbind_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rpcbind_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpcbind_search_lib'($*)) dnl - ') - - -######################################## -## -## Read rpcbind lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpcbind_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpcbind_read_lib_files'($*)) dnl - - gen_require(` - type rpcbind_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpcbind_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rpcbind lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpcbind_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpcbind_manage_lib_files'($*)) dnl - - gen_require(` - type rpcbind_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpcbind_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Send null signals to rpcbind. -## -## -## -## Domain allowed access. -## -## -# - define(`rpcbind_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpcbind_signull'($*)) dnl - - gen_require(` - type rpcbind_t; - ') - - allow $1 rpcbind_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpcbind_signull'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rpcbind environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rpcbind_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpcbind_admin'($*)) dnl - - gen_require(` - type rpcbind_t, rpcbind_var_lib_t, rpcbind_runtime_t; - type rpcbind_initrc_exec_t; - ') - - allow $1 rpcbind_t:process { ptrace signal_perms }; - ps_process_pattern($1, rpcbind_t) - - init_startstop_service($1, $2, rpcbind_t, rpcbind_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, rpcbind_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, rpcbind_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpcbind_admin'($*)) dnl - ') - -## Dictionary daemon. - -######################################## -## -## All of the rules required to -## administrate an dictd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dictd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dictd_admin'($*)) dnl - - gen_require(` - type dictd_t, dictd_etc_t, dictd_var_lib_t; - type dictd_runtime_t, dictd_initrc_exec_t; - ') - - allow $1 dictd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dictd_t) - - init_startstop_service($1, $2, dictd_t, dictd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, dictd_etc_t) - - files_list_var_lib($1) - admin_pattern($1, dictd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, dictd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dictd_admin'($*)) dnl - ') - -## console font and keymap setup program for debian - -######################################## -## -## Execute console-setup in the consolesetup domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`consolesetup_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolesetup_domtrans'($*)) dnl - - gen_require(` - type consolesetup_t, consolesetup_conf_t, consolesetup_exec_t, consolesetup_runtime_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, consolesetup_exec_t, consolesetup_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolesetup_domtrans'($*)) dnl - ') - - -######################################## -## -## Read console-setup configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`consolesetup_read_conf',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolesetup_read_conf'($*)) dnl - - gen_require(` - type consolesetup_conf_t; - ') - - files_search_etc($1) - allow $1 consolesetup_conf_t:dir list_dir_perms; - allow $1 consolesetup_conf_t:file read_file_perms; - allow $1 consolesetup_conf_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolesetup_read_conf'($*)) dnl - ') - - -######################################## -## -## Execute console-setup configuration files -## in the caller domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`consolesetup_exec_conf',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolesetup_exec_conf'($*)) dnl - - gen_require(` - type consolesetup_conf_t; - ') - - files_search_etc($1) - exec_files_pattern($1, consolesetup_conf_t, consolesetup_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolesetup_exec_conf'($*)) dnl - ') - - -######################################## -## -## Allow the caller to manage -## consolesetup_runtime_t files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`consolesetup_manage_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolesetup_manage_runtime'($*)) dnl - - gen_require(` - type consolesetup_runtime_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, consolesetup_runtime_t, consolesetup_runtime_t) - manage_files_pattern($1, consolesetup_runtime_t, consolesetup_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolesetup_manage_runtime'($*)) dnl - ') - - -######################################## -## -## Create a console-setup directory in -## the runtime directory. -## -## -## -## Domain allowed access. -## -## -## -# - define(`consolesetup_pid_filetrans_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolesetup_pid_filetrans_runtime'($*)) dnl - - gen_require(` - type consolesetup_runtime_t; - ') - - files_pid_filetrans($1, consolesetup_runtime_t, dir, "console-setup") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolesetup_pid_filetrans_runtime'($*)) dnl - ') - -## The onion router. - -######################################## -## -## Execute a domain transition to run tor. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tor_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tor_domtrans'($*)) dnl - - gen_require(` - type tor_t, tor_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tor_exec_t, tor_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tor_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an tor environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tor_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tor_admin'($*)) dnl - - gen_require(` - type tor_t, tor_var_log_t, tor_etc_t; - type tor_var_lib_t, tor_runtime_t, tor_initrc_exec_t; - ') - - allow $1 tor_t:process { ptrace signal_perms }; - ps_process_pattern($1, tor_t) - - init_startstop_service($1, $2, tor_t, tor_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, tor_etc_t) - - files_list_var_lib($1) - admin_pattern($1, tor_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, tor_var_log_t) - - files_list_pids($1) - admin_pattern($1, tor_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tor_admin'($*)) dnl - ') - -## University of Washington IMAP toolkit POP3 and IMAP mail server. - -######################################## -## -## Execute imapd in the imapd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`uwimap_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uwimap_domtrans'($*)) dnl - - gen_require(` - type imapd_t, imapd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, imapd_exec_t, imapd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uwimap_domtrans'($*)) dnl - ') - -## IRQ balancing daemon. - -######################################## -## -## All of the rules required to -## administrate an irqbalance environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`irqbalance_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `irqbalance_admin'($*)) dnl - - gen_require(` - type irqbalance_t, irqbalance_initrc_exec_t; - type irqbalance_pid_t, irqbalance_unit_t; - ') - - allow $1 irqbalance_t:process { ptrace signal_perms }; - ps_process_pattern($1, irqbalance_t) - - init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t, irqbalance_unit_t) - - files_search_pids($1) - admin_pattern($1, irqbalance_pid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `irqbalance_admin'($*)) dnl - ') - -## Roundup Issue Tracking System. - -######################################## -## -## All of the rules required to -## administrate an roundup environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`roundup_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `roundup_admin'($*)) dnl - - gen_require(` - type roundup_t, roundup_var_lib_t, roundup_runtime_t; - type roundup_initrc_exec_t; - ') - - allow $1 roundup_t:process { ptrace signal_perms }; - ps_process_pattern($1, roundup_t) - - init_startstop_service($1, $2, roundup_t, roundup_initrc_exec_t) - - files_list_var_lib($1) - admin_pattern($1, roundup_var_lib_t) - - files_list_pids($1) - admin_pattern($1, roundup_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `roundup_admin'($*)) dnl - ') - -## Manage electronic mail discussion and e-newsletter lists. - -####################################### -## -## The template to define a mailman domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`mailman_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_domain_template'($*)) dnl - - gen_require(` - attribute mailman_domain; - ') - - ######################################## - # - # Declarations - # - - type mailman_$1_t, mailman_domain; - type mailman_$1_exec_t; - domain_type(mailman_$1_t) - domain_entry_file(mailman_$1_t, mailman_$1_exec_t) - role system_r types mailman_$1_t; - - type mailman_$1_tmp_t; - files_tmp_file(mailman_$1_tmp_t) - - #################################### - # - # Policy - # - - manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) - - auth_use_nsswitch(mailman_$1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_domain_template'($*)) dnl - ') - - -####################################### -## -## Execute mailman in the mailman domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mailman_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_domtrans'($*)) dnl - - gen_require(` - type mailman_mail_exec_t, mailman_mail_t; - ') - - libs_search_lib($1) - domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the mailman program in the -## mailman domain and allow the -## specified role the mailman domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mailman_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_run'($*)) dnl - - gen_require(` - attribute_role mailman_roles; - ') - - mailman_domtrans($1) - roleattribute $2 mailman_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_run'($*)) dnl - ') - - -####################################### -## -## Execute mailman CGI scripts in the -## mailman CGI domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mailman_domtrans_cgi',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_domtrans_cgi'($*)) dnl - - gen_require(` - type mailman_cgi_exec_t, mailman_cgi_t; - ') - - libs_search_lib($1) - domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_domtrans_cgi'($*)) dnl - ') - - -####################################### -## -## Execute mailman in the caller domain. -## -## -## -## Domain allowd access. -## -## -# - define(`mailman_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_exec'($*)) dnl - - gen_require(` - type mailman_mail_exec_t; - ') - - libs_search_lib($1) - can_exec($1, mailman_mail_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_exec'($*)) dnl - ') - - -####################################### -## -## Send generic signals to mailman cgi. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_signal_cgi',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_signal_cgi'($*)) dnl - - gen_require(` - type mailman_cgi_t; - ') - - allow $1 mailman_cgi_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_signal_cgi'($*)) dnl - ') - - -####################################### -## -## Search mailman data directories. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_search_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_search_data'($*)) dnl - - gen_require(` - type mailman_data_t; - ') - - files_search_spool($1) - allow $1 mailman_data_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_search_data'($*)) dnl - ') - - -####################################### -## -## Read mailman data content. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_read_data_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_read_data_files'($*)) dnl - - gen_require(` - type mailman_data_t; - ') - - files_search_spool($1) - list_dirs_pattern($1, mailman_data_t, mailman_data_t) - read_files_pattern($1, mailman_data_t, mailman_data_t) - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_read_data_files'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## mailman data files. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_manage_data_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_manage_data_files'($*)) dnl - - gen_require(` - type mailman_data_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_manage_data_files'($*)) dnl - ') - - -####################################### -## -## List mailman data directories. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_list_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_list_data'($*)) dnl - - gen_require(` - type mailman_data_t; - ') - - files_search_spool($1) - allow $1 mailman_data_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_list_data'($*)) dnl - ') - - -####################################### -## -## Read mailman data symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_read_data_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_read_data_symlinks'($*)) dnl - - gen_require(` - type mailman_data_t; - ') - - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_read_data_symlinks'($*)) dnl - ') - - -####################################### -## -## Read mailman log files. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_read_log'($*)) dnl - - gen_require(` - type mailman_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, mailman_log_t, mailman_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_read_log'($*)) dnl - ') - - -####################################### -## -## Append mailman log files. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_append_log'($*)) dnl - - gen_require(` - type mailman_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, mailman_log_t, mailman_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_append_log'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## mailman log content. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_manage_log'($*)) dnl - - gen_require(` - type mailman_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, mailman_log_t, mailman_log_t) - manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_manage_log'($*)) dnl - ') - - -####################################### -## -## Read mailman archive content. -## -## -## -## Domain allowed access. -## -## -# - define(`mailman_read_archive',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_read_archive'($*)) dnl - - gen_require(` - type mailman_archive_t; - ') - - files_search_var_lib($1) - allow $1 mailman_archive_t:dir list_dir_perms; - read_files_pattern($1, mailman_archive_t, mailman_archive_t) - read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_read_archive'($*)) dnl - ') - - -####################################### -## -## Execute mailman_queue in the -## mailman_queue domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mailman_domtrans_queue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mailman_domtrans_queue'($*)) dnl - - gen_require(` - type mailman_queue_exec_t, mailman_queue_t; - ') - - libs_search_lib($1) - domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mailman_domtrans_queue'($*)) dnl - ') - -## Remote login daemon. - -######################################## -## -## Execute rlogind in the rlogin domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rlogin_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rlogin_domtrans'($*)) dnl - - gen_require(` - type rlogind_t, rlogind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rlogind_exec_t, rlogind_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rlogin_domtrans'($*)) dnl - ') - - -######################################## -## -## Read rlogin user home content. -## -## -## -## Domain allowed access. -## -## -# - define(`rlogin_read_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rlogin_read_home_content'($*)) dnl - - gen_require(` - type rlogind_home_t; - ') - - userdom_search_user_home_dirs($1) - list_dirs_pattern($1, rlogind_home_t, rlogind_home_t) - read_files_pattern($1, rlogind_home_t, rlogind_home_t) - read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rlogin_read_home_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rlogind home files. -## -## -## -## Domain allowed access. -## -## -# - define(`rlogin_manage_rlogind_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rlogin_manage_rlogind_home_files'($*)) dnl - - gen_require(` - type rlogind_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 rlogind_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rlogin_manage_rlogind_home_files'($*)) dnl - ') - - -######################################## -## -## Relabel rlogind home files. -## -## -## -## Domain allowed access. -## -## -# - define(`rlogin_relabel_rlogind_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rlogin_relabel_rlogind_home_files'($*)) dnl - - gen_require(` - type rlogind_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 rlogind_home_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rlogin_relabel_rlogind_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the rlogind home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`rlogin_home_filetrans_logind_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rlogin_home_filetrans_logind_home'($*)) dnl - - gen_require(` - type rlogind_home_t; - ') - - userdom_user_home_dir_filetrans($1, rlogind_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rlogin_home_filetrans_logind_home'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rlogind temporary content. -## -## -## -## Domain allowed access. -## -## -# - define(`rlogin_manage_rlogind_tmp_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rlogin_manage_rlogind_tmp_content'($*)) dnl - - gen_require(` - type rlogind_tmp_t; - ') - - files_search_tmp($1) - allow $1 rlogind_tmp_t:dir manage_dir_perms; - allow $1 rlogind_tmp_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rlogin_manage_rlogind_tmp_content'($*)) dnl - ') - - -######################################## -## -## Relabel rlogind temporary content. -## -## -## -## Domain allowed access. -## -## -# - define(`rlogin_relabel_rlogind_tmp_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rlogin_relabel_rlogind_tmp_content'($*)) dnl - - gen_require(` - type rlogind_tmp_t; - ') - - files_search_tmp($1) - allow $1 rlogind_tmp_t:dir relabel_dir_perms; - allow $1 rlogind_tmp_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rlogin_relabel_rlogind_tmp_content'($*)) dnl - ') - -## Linux Target Framework Daemon. - -##################################### -## -## Read and write tgtd semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`tgtd_rw_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tgtd_rw_semaphores'($*)) dnl - - gen_require(` - type tgtd_t; - ') - - allow $1 tgtd_t:sem rw_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tgtd_rw_semaphores'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## tgtd sempaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`tgtd_manage_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tgtd_manage_semaphores'($*)) dnl - - gen_require(` - type tgtd_t; - ') - - allow $1 tgtd_t:sem create_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tgtd_manage_semaphores'($*)) dnl - ') - - -###################################### -## -## Connect to tgtd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`tgtd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tgtd_stream_connect'($*)) dnl - - gen_require(` - type tgtd_t, tgtd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, tgtd_runtime_t, tgtd_runtime_t, tgtd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tgtd_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an tgtd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tgtd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tgtd_admin'($*)) dnl - - gen_require(` - type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t; - type tgtd_runtime_t, tgtd_tmp_t, tgtd_tmpfs_t; - ') - - allow $1 tgtd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tgtd_t) - - init_startstop_service($1, $2, tgtd_t, tgtd_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, tgtd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, tgtd_runtime_t) - - files_search_tmp($1) - admin_pattern($1, tgtd_tmp_t) - - fs_search_tmpfs($1) - admin_pattern($1, tgtd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tgtd_admin'($*)) dnl - ') - -## Common e-mail transfer agent policy. - -######################################## -## -## MTA stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_stub'($*)) dnl - - gen_require(` - type sendmail_exec_t; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_stub'($*)) dnl - ') - - -####################################### -## -## The template to define a mail domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`mta_base_mail_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_base_mail_template'($*)) dnl - - gen_require(` - attribute user_mail_domain; - type sendmail_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_mail_t, user_mail_domain; - application_domain($1_mail_t, sendmail_exec_t) - - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) - - ######################################## - # - # Declarations - # - - manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - - auth_use_nsswitch($1_mail_t) - - optional_policy(` - postfix_domtrans_user_mail_handler($1_mail_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_base_mail_template'($*)) dnl - ') - - -######################################## -## -## Role access for mta. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`mta_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_role'($*)) dnl - - gen_require(` - attribute mta_user_agent; - attribute_role user_mail_roles; - type user_mail_t, sendmail_exec_t, mail_home_t; - type user_mail_tmp_t, mail_home_rw_t; - ') - - roleattribute $1 user_mail_roles; - - # this is something i need to fix - # i dont know if and why it is needed - # will role attribute work? - role $1 types mta_user_agent; - - domtrans_pattern($2, sendmail_exec_t, user_mail_t) - allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; - - allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms }; - ps_process_pattern($2, { user_mail_t mta_user_agent }) - - allow $2 mail_home_t:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue") - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward") - userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc") - userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter") - - allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms }; - allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir") - userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir") - - allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms }; - - optional_policy(` - exim_run($2, $1) - ') - - optional_policy(` - mailman_run($2, $1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_role'($*)) dnl - ') - - -######################################## -## -## Make the specified domain usable for a mail server. -## -## -## -## Type to be used as a mail server domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# - define(`mta_mailserver',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_mailserver'($*)) dnl - - gen_require(` - attribute mailserver_domain; - ') - - init_daemon_domain($1, $2) - typeattribute $1 mailserver_domain; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_mailserver'($*)) dnl - ') - - -######################################## -## -## Make the specified type a MTA executable file. -## -## -## -## Type to be used as a mail client. -## -## -# - define(`mta_agent_executable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_agent_executable'($*)) dnl - - gen_require(` - attribute mta_exec_type; - ') - - typeattribute $1 mta_exec_type; - - application_executable_file($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_agent_executable'($*)) dnl - ') - - -####################################### -## -## Read mta mail home files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_read_mail_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_read_mail_home_files'($*)) dnl - - gen_require(` - type mail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mail_home_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_read_mail_home_files'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## mta mail home files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_manage_mail_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_manage_mail_home_files'($*)) dnl - - gen_require(` - type mail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mail_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_manage_mail_home_files'($*)) dnl - ') - - -######################################## -## -## Create specified objects in user home -## directories with the generic mail -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mta_home_filetrans_mail_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_home_filetrans_mail_home'($*)) dnl - - gen_require(` - type mail_home_t; - ') - - userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_home_filetrans_mail_home'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## mta mail home rw content. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_manage_mail_home_rw_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_manage_mail_home_rw_content'($*)) dnl - - gen_require(` - type mail_home_rw_t; - ') - - userdom_search_user_home_dirs($1) - manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) - manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) - manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_manage_mail_home_rw_content'($*)) dnl - ') - - -######################################## -## -## Create specified objects in user home -## directories with the generic mail -## home rw type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mta_home_filetrans_mail_home_rw',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_home_filetrans_mail_home_rw'($*)) dnl - - gen_require(` - type mail_home_rw_t; - ') - - userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_home_filetrans_mail_home_rw'($*)) dnl - ') - - -######################################## -## -## Make the specified type by a system MTA. -## -## -## -## Type to be used as a mail client. -## -## -# - define(`mta_system_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_system_content'($*)) dnl - - gen_require(` - attribute mailcontent_type; - ') - - typeattribute $1 mailcontent_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_system_content'($*)) dnl - ') - - -######################################## -## -## Modified mailserver interface for -## sendmail daemon use. -## -## -##

-## A modified MTA mail server interface for -## the sendmail program. It's design does -## not fit well with policy, and using the -## regular interface causes a type_transition -## conflict if direct running of init scripts -## is enabled. -##

-##

-## This interface should most likely only be used -## by the sendmail policy. -##

-## -## -## -## The type to be used for the mail server. -## -## -# - define(`mta_sendmail_mailserver',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_sendmail_mailserver'($*)) dnl - - gen_require(` - attribute mailserver_domain; - type sendmail_exec_t; - ') - - init_system_domain($1, sendmail_exec_t) - - typeattribute $1 mailserver_domain; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_sendmail_mailserver'($*)) dnl - ') - - -######################################## -## -## Inherit FDs from mailserver_domain domains -## -## -## -## Type for a list server or delivery agent that inherits fds -## -## -# - define(`mta_use_mailserver_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_use_mailserver_fds'($*)) dnl - - gen_require(` - attribute mailserver_domain; - ') - - allow $1 mailserver_domain:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_use_mailserver_fds'($*)) dnl - ') - - -####################################### -## -## Make a type a mailserver type used -## for sending mail. -## -## -## -## Mail server domain type used for sending mail. -## -## -# - define(`mta_mailserver_sender',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_mailserver_sender'($*)) dnl - - gen_require(` - attribute mailserver_sender; - ') - - typeattribute $1 mailserver_sender; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_mailserver_sender'($*)) dnl - ') - - -####################################### -## -## Make a type a mailserver type used -## for delivering mail to local users. -## -## -## -## Mail server domain type used for delivering mail. -## -## -# - define(`mta_mailserver_delivery',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_mailserver_delivery'($*)) dnl - - gen_require(` - attribute mailserver_delivery; - ') - - typeattribute $1 mailserver_delivery; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_mailserver_delivery'($*)) dnl - ') - - -####################################### -## -## Make a type a mailserver type used -## for sending mail on behalf of local -## users to the local mail spool. -## -## -## -## Mail server domain type used for sending local mail. -## -## -# - define(`mta_mailserver_user_agent',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_mailserver_user_agent'($*)) dnl - - gen_require(` - attribute mta_user_agent; - ') - - typeattribute $1 mta_user_agent; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_mailserver_user_agent'($*)) dnl - ') - - -######################################## -## -## Send mail from the system. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mta_send_mail',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_send_mail'($*)) dnl - - gen_require(` - type system_mail_t; - attribute mta_exec_type; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mta_exec_type, system_mail_t) - - allow $1 mta_exec_type:lnk_file read_lnk_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - attribute mta_user_agent; - ') - - dontaudit mta_user_agent $1:fd use; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_send_mail'($*)) dnl - ') - - -######################################## -## -## Execute send mail in a specified domain. -## -## -##

-## Execute send mail in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# - define(`mta_sendmail_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_sendmail_domtrans'($*)) dnl - - gen_require(` - type sendmail_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_transition_pattern($1, sendmail_exec_t, $2) - - allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_sendmail_domtrans'($*)) dnl - ') - - -######################################## -## -## Send signals to system mail. -## -## -## -## Domain allowed access. -## -## -# -# - define(`mta_signal_system_mail',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_signal_system_mail'($*)) dnl - - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_signal_system_mail'($*)) dnl - ') - - -######################################## -## -## Send kill signals to system mail. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_kill_system_mail',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_kill_system_mail'($*)) dnl - - gen_require(` - type system_mail_t; - ') - - allow $1 system_mail_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_kill_system_mail'($*)) dnl - ') - - -######################################## -## -## Execute sendmail in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_sendmail_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_sendmail_exec'($*)) dnl - - gen_require(` - type sendmail_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, sendmail_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_sendmail_exec'($*)) dnl - ') - - -######################################## -## -## Make sendmail usable as an entry -## point for the domain. -## -## -## -## Domain to be entered. -## -## -# - define(`mta_sendmail_entry_point',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_sendmail_entry_point'($*)) dnl - - gen_require(` - type sendmail_exec_t; - ') - - domain_entry_file($1, sendmail_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_sendmail_entry_point'($*)) dnl - ') - - -######################################## -## -## Read mail server configuration content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mta_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_read_config'($*)) dnl - - gen_require(` - type etc_mail_t; - ') - - files_search_etc($1) - allow $1 etc_mail_t:dir list_dir_perms; - allow $1 etc_mail_t:file read_file_perms; - allow $1 etc_mail_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_read_config'($*)) dnl - ') - - -######################################## -## -## Write mail server configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mta_write_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_write_config'($*)) dnl - - gen_require(` - type etc_mail_t; - ') - - files_search_etc($1) - write_files_pattern($1, etc_mail_t, etc_mail_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_write_config'($*)) dnl - ') - - -######################################## -## -## Read mail address alias files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_read_aliases',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_read_aliases'($*)) dnl - - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file read_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - read_files_pattern($1, etc_mail_t, etc_aliases_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_read_aliases'($*)) dnl - ') - - -######################################## -## -## Read mail address alias files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_map_aliases',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_map_aliases'($*)) dnl - - gen_require(` - type etc_aliases_t; - ') - - allow $1 etc_aliases_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_map_aliases'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mail address alias content. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_manage_aliases',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_manage_aliases'($*)) dnl - - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - manage_files_pattern($1, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - manage_files_pattern($1, etc_mail_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_mail_t, etc_aliases_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_manage_aliases'($*)) dnl - ') - - -######################################## -## -## Create specified object in generic -## etc directories with the mail address -## alias type. -## -## -## -## Domain allowed access. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mta_etc_filetrans_aliases',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_etc_filetrans_aliases'($*)) dnl - - gen_require(` - type etc_aliases_t; - ') - - files_etc_filetrans($1, etc_aliases_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_etc_filetrans_aliases'($*)) dnl - ') - - -######################################## -## -## Create specified objects in specified -## directories with a type transition to -## the mail address alias type. -## -## -## -## Domain allowed access. -## -## -## -## -## Directory to transition on. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mta_spec_filetrans_aliases',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_spec_filetrans_aliases'($*)) dnl - - gen_require(` - type etc_aliases_t; - ') - - filetrans_pattern($1, $2, etc_aliases_t, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_spec_filetrans_aliases'($*)) dnl - ') - - -######################################## -## -## Read and write mail alias files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mta_rw_aliases',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_rw_aliases'($*)) dnl - - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) - allow $1 etc_aliases_t:file rw_file_perms; - - ifdef(`distro_gentoo',` - gen_require(` - type etc_mail_t; - ') - - search_dirs_pattern($1, etc_mail_t, etc_aliases_t) - rw_files_pattern($1, etc_mail_t, etc_aliases_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_rw_aliases'($*)) dnl - ') - - -####################################### -## -## Do not audit attempts to read -## and write TCP sockets of mail -## delivery domains. -## -## -## -## Domain to not audit. -## -## -# - define(`mta_dontaudit_rw_delivery_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_dontaudit_rw_delivery_tcp_sockets'($*)) dnl - - gen_require(` - attribute mailserver_delivery; - ') - - dontaudit $1 mailserver_delivery:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_dontaudit_rw_delivery_tcp_sockets'($*)) dnl - ') - - -####################################### -## -## Do not audit attempts to read -## mail spool symlinks. -## -## -## -## Domain to not audit. -## -## -# - define(`mta_dontaudit_read_spool_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_dontaudit_read_spool_symlinks'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - dontaudit $1 mail_spool_t:lnk_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_dontaudit_read_spool_symlinks'($*)) dnl - ') - - -######################################## -## -## Get attributes of mail spool content. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_getattr_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_getattr_spool'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - getattr_files_pattern($1, mail_spool_t, mail_spool_t) - read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_getattr_spool'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get -## attributes of mail spool files. -## -## -## -## Domain to not audit. -## -## -# - define(`mta_dontaudit_getattr_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_dontaudit_getattr_spool_files'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - files_dontaudit_search_spool($1) - dontaudit $1 mail_spool_t:dir search_dir_perms; - dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; - dontaudit $1 mail_spool_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_dontaudit_getattr_spool_files'($*)) dnl - ') - - -####################################### -## -## Create specified objects in the -## mail spool directory with a -## private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mta_spool_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_spool_filetrans'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, mail_spool_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_spool_filetrans'($*)) dnl - ') - - -####################################### -## -## Read mail spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_read_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_read_spool_files'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, mail_spool_t, mail_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_read_spool_files'($*)) dnl - ') - - -######################################## -## -## Read and write mail spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_rw_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_rw_spool'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file rw_file_perms; - allow $1 mail_spool_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_rw_spool'($*)) dnl - ') - - -####################################### -## -## Create, read, and write mail spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_append_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_append_spool'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; - manage_files_pattern($1, mail_spool_t, mail_spool_t) - allow $1 mail_spool_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_append_spool'($*)) dnl - ') - - -####################################### -## -## Delete mail spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_delete_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_delete_spool'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - delete_files_pattern($1, mail_spool_t, mail_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_delete_spool'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mail spool content. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_manage_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_manage_spool'($*)) dnl - - gen_require(` - type mail_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mail_spool_t, mail_spool_t) - manage_files_pattern($1, mail_spool_t, mail_spool_t) - manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_manage_spool'($*)) dnl - ') - - -####################################### -## -## Create specified objects in the -## mail queue spool directory with a -## private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mta_queue_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_queue_filetrans'($*)) dnl - - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_queue_filetrans'($*)) dnl - ') - - -######################################## -## -## Search mail queue directories. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_search_queue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_search_queue'($*)) dnl - - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - allow $1 mqueue_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_search_queue'($*)) dnl - ') - - -####################################### -## -## List mail queue directories. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_list_queue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_list_queue'($*)) dnl - - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - allow $1 mqueue_spool_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_list_queue'($*)) dnl - ') - - -####################################### -## -## Read mail queue files. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_read_queue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_read_queue'($*)) dnl - - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_read_queue'($*)) dnl - ') - - -####################################### -## -## Do not audit attempts to read and -## write mail queue content. -## -## -## -## Domain to not audit. -## -## -# - define(`mta_dontaudit_rw_queue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_dontaudit_rw_queue'($*)) dnl - - gen_require(` - type mqueue_spool_t; - ') - - dontaudit $1 mqueue_spool_t:dir search_dir_perms; - dontaudit $1 mqueue_spool_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_dontaudit_rw_queue'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mail queue content. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_manage_queue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_manage_queue'($*)) dnl - - gen_require(` - type mqueue_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) - manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_manage_queue'($*)) dnl - ') - - -####################################### -## -## Read sendmail binary. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_read_sendmail_bin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_read_sendmail_bin'($*)) dnl - - gen_require(` - type sendmail_exec_t; - ') - - allow $1 sendmail_exec_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_read_sendmail_bin'($*)) dnl - ') - - -####################################### -## -## Read and write unix domain stream -## sockets of all base mail domains. -## -## -## -## Domain allowed access. -## -## -# - define(`mta_rw_user_mail_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mta_rw_user_mail_stream_sockets'($*)) dnl - - gen_require(` - attribute user_mail_domain; - ') - - allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mta_rw_user_mail_stream_sockets'($*)) dnl - ') - -## Ricci cluster management agent. - -######################################## -## -## Execute a domain transition to run ricci. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ricci_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_domtrans'($*)) dnl - - gen_require(` - type ricci_t, ricci_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_exec_t, ricci_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run ricci modcluster. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ricci_domtrans_modcluster',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modcluster'($*)) dnl - - gen_require(` - type ricci_modcluster_t, ricci_modcluster_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_domtrans_modcluster'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use -## ricci modcluster file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`ricci_dontaudit_use_modcluster_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_dontaudit_use_modcluster_fds'($*)) dnl - - gen_require(` - type ricci_modcluster_t; - ') - - dontaudit $1 ricci_modcluster_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_dontaudit_use_modcluster_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read write -## ricci modcluster unamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`ricci_dontaudit_rw_modcluster_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_dontaudit_rw_modcluster_pipes'($*)) dnl - - gen_require(` - type ricci_modcluster_t; - ') - - dontaudit $1 ricci_modcluster_t:fifo_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_dontaudit_rw_modcluster_pipes'($*)) dnl - ') - - -######################################## -## -## Connect to ricci_modclusterd with -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`ricci_stream_connect_modclusterd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_stream_connect_modclusterd'($*)) dnl - - gen_require(` - type ricci_modclusterd_t, ricci_modcluster_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ricci_modcluster_runtime_t, ricci_modcluster_runtime_t, ricci_modclusterd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_stream_connect_modclusterd'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run ricci modlog. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ricci_domtrans_modlog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modlog'($*)) dnl - - gen_require(` - type ricci_modlog_t, ricci_modlog_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_domtrans_modlog'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run ricci modrpm. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ricci_domtrans_modrpm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modrpm'($*)) dnl - - gen_require(` - type ricci_modrpm_t, ricci_modrpm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_domtrans_modrpm'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run ricci modservice. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ricci_domtrans_modservice',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modservice'($*)) dnl - - gen_require(` - type ricci_modservice_t, ricci_modservice_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_domtrans_modservice'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run ricci modstorage. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ricci_domtrans_modstorage',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modstorage'($*)) dnl - - gen_require(` - type ricci_modstorage_t, ricci_modstorage_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_domtrans_modstorage'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ricci environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ricci_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ricci_admin'($*)) dnl - - gen_require(` - type ricci_t, ricci_initrc_exec_t, ricci_tmp_t; - type ricci_var_lib_t, ricci_var_log_t, ricci_runtime_t; - ') - - allow $1 ricci_t:process { ptrace signal_perms }; - ps_process_pattern($1, ricci_t) - - init_startstop_service($1, $2, ricci_t, ricci_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, ricci_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, ricci_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, ricci_var_log_t) - - files_list_pids($1) - admin_pattern($1, ricci_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ricci_admin'($*)) dnl - ') - -## GNUstep distributed object mapper. - -######################################## -## -## Read gdomap configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`gdomap_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gdomap_read_config'($*)) dnl - - gen_require(` - type gdomap_conf_t; - ') - - files_search_etc($1) - allow $1 gdomap_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gdomap_read_config'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an gdomap environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`gdomap_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gdomap_admin'($*)) dnl - - gen_require(` - type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t; - type gdomap_runtime_t; - ') - - allow $1 gdomap_t:process { ptrace signal_perms }; - ps_process_pattern($1, gdomap_t) - - init_startstop_service($1, $2, gdomap_t, gdomap_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, gdomap_conf_t) - - files_search_pids($1) - admin_pattern($1, gdomap_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gdomap_admin'($*)) dnl - ') - -## Resource Group Manager. - -####################################### -## -## Execute a domain transition to run rgmanager. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rgmanager_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rgmanager_domtrans'($*)) dnl - - gen_require(` - type rgmanager_t, rgmanager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rgmanager_domtrans'($*)) dnl - ') - - -######################################## -## -## Connect to rgmanager with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rgmanager_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rgmanager_stream_connect'($*)) dnl - - gen_require(` - type rgmanager_t, rgmanager_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rgmanager_runtime_t, rgmanager_runtime_t, rgmanager_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rgmanager_stream_connect'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## rgmanager tmp files. -## -## -## -## Domain allowed access. -## -## -# - define(`rgmanager_manage_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rgmanager_manage_tmp_files'($*)) dnl - - gen_require(` - type rgmanager_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rgmanager_manage_tmp_files'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## rgmanager tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`rgmanager_manage_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rgmanager_manage_tmpfs_files'($*)) dnl - - gen_require(` - type rgmanager_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rgmanager_manage_tmpfs_files'($*)) dnl - ') - - -###################################### -## -## All of the rules required to -## administrate an rgmanager environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rgmanager_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rgmanager_admin'($*)) dnl - - gen_require(` - type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; - type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_runtime_t; - ') - - allow $1 rgmanager_t:process { ptrace signal_perms }; - ps_process_pattern($1, rgmanager_t) - - init_startstop_service($1, $2, rgmanager_t, rgmanager_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, rgmanager_tmp_t) - - admin_pattern($1, rgmanager_tmpfs_t) - - logging_list_logs($1) - admin_pattern($1, rgmanager_var_log_t) - - files_list_pids($1) - admin_pattern($1, rgmanager_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rgmanager_admin'($*)) dnl - ') - -## Remote Procedure Call Daemon. - -######################################## -## -## RPC stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# - define(`rpc_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_stub'($*)) dnl - - gen_require(` - type exports_t; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_stub'($*)) dnl - ') - - -####################################### -## -## The template to define a rpc domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`rpc_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_domain_template'($*)) dnl - - gen_require(` - attribute rpc_domain; - ') - - ######################################## - # - # Declarations - # - - type $1_t, rpc_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - - domain_use_interactive_fds($1_t) - - ######################################## - # - # Policy - # - - auth_use_nsswitch($1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_domain_template'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get -## attributes of export files. -## -## -## -## Domain to not audit. -## -## -# - define(`rpc_dontaudit_getattr_exports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_dontaudit_getattr_exports'($*)) dnl - - gen_require(` - type exports_t; - ') - - dontaudit $1 exports_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_dontaudit_getattr_exports'($*)) dnl - ') - - -######################################## -## -## Read export files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpc_read_exports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_read_exports'($*)) dnl - - gen_require(` - type exports_t; - ') - - allow $1 exports_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_read_exports'($*)) dnl - ') - - -######################################## -## -## Write export files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpc_write_exports',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_write_exports'($*)) dnl - - gen_require(` - type exports_t; - ') - - allow $1 exports_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_write_exports'($*)) dnl - ') - - -######################################## -## -## Execute nfsd in the nfsd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rpc_domtrans_nfsd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_domtrans_nfsd'($*)) dnl - - gen_require(` - type nfsd_t, nfsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nfsd_exec_t, nfsd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_domtrans_nfsd'($*)) dnl - ') - - -####################################### -## -## Execute nfsd init scripts in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rpc_initrc_domtrans_nfsd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_initrc_domtrans_nfsd'($*)) dnl - - gen_require(` - type nfsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nfsd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_initrc_domtrans_nfsd'($*)) dnl - ') - - -######################################## -## -## Execute rpcd in the rpcd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rpc_domtrans_rpcd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_domtrans_rpcd'($*)) dnl - - gen_require(` - type rpcd_t, rpcd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpcd_exec_t, rpcd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_domtrans_rpcd'($*)) dnl - ') - - -####################################### -## -## Execute rpcd init scripts in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rpc_initrc_domtrans_rpcd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_initrc_domtrans_rpcd'($*)) dnl - - gen_require(` - type rpcd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, rpcd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_initrc_domtrans_rpcd'($*)) dnl - ') - - -######################################## -## -## Read nfs exported content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`rpc_read_nfs_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_read_nfs_content'($*)) dnl - - gen_require(` - type nfsd_ro_t, nfsd_rw_t; - ') - - allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_read_nfs_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## nfs exported read write content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`rpc_manage_nfs_rw_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_rw_content'($*)) dnl - - gen_require(` - type nfsd_rw_t; - ') - - manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_rw_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## nfs exported read only content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`rpc_manage_nfs_ro_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_ro_content'($*)) dnl - - gen_require(` - type nfsd_ro_t; - ') - - manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_ro_content'($*)) dnl - ') - - -######################################## -## -## Read and write to nfsd tcp sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`rpc_tcp_rw_nfs_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_tcp_rw_nfs_sockets'($*)) dnl - - gen_require(` - type nfsd_t; - ') - - allow $1 nfsd_t:tcp_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_tcp_rw_nfs_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write to nfsd udp sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`rpc_udp_rw_nfs_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_udp_rw_nfs_sockets'($*)) dnl - - gen_require(` - type nfsd_t; - ') - - allow $1 nfsd_t:udp_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_udp_rw_nfs_sockets'($*)) dnl - ') - - -######################################## -## -## Search nfs lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`rpc_search_nfs_state_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_search_nfs_state_data'($*)) dnl - - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_search_nfs_state_data'($*)) dnl - ') - - -######################################## -## -## Read nfs lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpc_read_nfs_state_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_read_nfs_state_data'($*)) dnl - - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_read_nfs_state_data'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## nfs lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`rpc_manage_nfs_state_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_state_data'($*)) dnl - - gen_require(` - type var_lib_nfs_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - - ifdef(`distro_gentoo',` - rw_dirs_pattern($1, var_lib_nfs_t, var_lib_nfs_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_state_data'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rpc environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rpc_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rpc_admin'($*)) dnl - - gen_require(` - attribute rpc_domain; - type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; - type var_lib_nfs_t, rpcd_runtime_t, gssd_tmp_t; - type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t; - type nfsd_t, rpcd_t; - ') - - allow $1 rpc_domain:process { ptrace signal_perms }; - ps_process_pattern($1, rpc_domain) - - init_startstop_service($1, $2, nfsd_t, nfsd_initrc_exec_t) - init_startstop_service($1, $2, rpcd_t, rpcd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, { gssd_keytab_t exports_t }) - - files_list_var_lib($1) - admin_pattern($1, var_lib_nfs_t) - - files_list_pids($1) - admin_pattern($1, rpcd_runtime_t) - - files_list_all($1) - admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) - - files_list_tmp($1) - admin_pattern($1, gssd_tmp_t) - - fs_search_nfsd_fs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rpc_admin'($*)) dnl - ') - -## Linux infared remote control daemon. - -######################################## -## -## Execute a domain transition to run lircd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`lircd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lircd_domtrans'($*)) dnl - - gen_require(` - type lircd_t, lircd_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_transition_pattern($1, lircd_exec_t, lircd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lircd_domtrans'($*)) dnl - ') - - -###################################### -## -## Connect to lircd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`lircd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lircd_stream_connect'($*)) dnl - - gen_require(` - type lircd_runtime_t, lircd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, lircd_runtime_t, lircd_runtime_t, lircd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lircd_stream_connect'($*)) dnl - ') - - -####################################### -## -## Read lircd etc files. -## -## -## -## Domain allowed access. -## -## -# - define(`lircd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lircd_read_config'($*)) dnl - - gen_require(` - type lircd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, lircd_etc_t, lircd_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lircd_read_config'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate a lircd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`lircd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lircd_admin'($*)) dnl - - gen_require(` - type lircd_t, lircd_runtime_t; - type lircd_initrc_exec_t, lircd_etc_t; - ') - - allow $1 lircd_t:process { ptrace signal_perms }; - ps_process_pattern($1, lircd_t) - - init_startstop_service($1, $2, lircd_t, lircd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, lircd_etc_t) - - files_search_pids($1) - admin_pattern($1, lircd_runtime_t) - dev_list_all_dev_nodes($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lircd_admin'($*)) dnl - ') - -## Kana-kanji conversion server. - -######################################## -## -## Connect to Canna using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`canna_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `canna_stream_connect'($*)) dnl - - gen_require(` - type canna_t, canna_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, canna_runtime_t, canna_runtime_t, canna_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `canna_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an canna environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`canna_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `canna_admin'($*)) dnl - - gen_require(` - type canna_t, canna_log_t, canna_var_lib_t; - type canna_runtime_t, canna_initrc_exec_t; - ') - - allow $1 canna_t:process { ptrace signal_perms }; - ps_process_pattern($1, canna_t) - - init_startstop_service($1, $2, canna_t, canna_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, canna_log_t) - - files_list_var_lib($1) - admin_pattern($1, canna_var_lib_t) - - files_list_pids($1) - admin_pattern($1, canna_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `canna_admin'($*)) dnl - ') - -## Munin network-wide load graphing. - -####################################### -## -## The template to define a munin plugin domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`munin_plugin_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `munin_plugin_template'($*)) dnl - - gen_require(` - attribute munin_plugin_domain, munin_plugin_tmp_content; - type munin_t; - ') - - ######################################## - # - # Declarations - # - - type $1_munin_plugin_t, munin_plugin_domain; - type $1_munin_plugin_exec_t; - application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t) - role system_r types $1_munin_plugin_t; - - type $1_munin_plugin_tmp_t, munin_plugin_tmp_content; - files_tmp_file($1_munin_plugin_tmp_t) - - ######################################## - # - # Policy - # - - domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) - - manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `munin_plugin_template'($*)) dnl - ') - - -######################################## -## -## Connect to munin over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`munin_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `munin_stream_connect'($*)) dnl - - gen_require(` - type munin_runtime_t, munin_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, munin_runtime_t, munin_runtime_t, munin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `munin_stream_connect'($*)) dnl - ') - - -####################################### -## -## Read munin configuration content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`munin_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `munin_read_config'($*)) dnl - - gen_require(` - type munin_etc_t; - ') - - files_search_etc($1) - allow $1 munin_etc_t:dir list_dir_perms; - allow $1 munin_etc_t:file read_file_perms; - allow $1 munin_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `munin_read_config'($*)) dnl - ') - - -####################################### -## -## Append munin log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`munin_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `munin_append_log'($*)) dnl - - gen_require(` - type munin_log_t; - ') - - logging_search_logs($1) - allow $1 munin_log_t:dir list_dir_perms; - append_files_pattern($1, munin_log_t, munin_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `munin_append_log'($*)) dnl - ') - - -####################################### -## -## Search munin library directories. -## -## -## -## Domain allowed access. -## -## -# - define(`munin_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `munin_search_lib'($*)) dnl - - gen_require(` - type munin_var_lib_t; - ') - - allow $1 munin_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `munin_search_lib'($*)) dnl - ') - - -####################################### -## -## Do not audit attempts to search -## munin library directories. -## -## -## -## Domain to not audit. -## -## -# - define(`munin_dontaudit_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `munin_dontaudit_search_lib'($*)) dnl - - gen_require(` - type munin_var_lib_t; - ') - - dontaudit $1 munin_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `munin_dontaudit_search_lib'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an munin environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`munin_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `munin_admin'($*)) dnl - - gen_require(` - attribute munin_plugin_domain, munin_plugin_tmp_content; - type munin_t, munin_etc_t, munin_tmp_t; - type munin_log_t, munin_var_lib_t, munin_runtime_t; - type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; - ') - - allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { munin_plugin_domain munin_t }) - - init_startstop_service($1, $2, munin_t, munin_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content }) - - logging_list_logs($1) - admin_pattern($1, munin_log_t) - - files_list_etc($1) - admin_pattern($1, munin_etc_t) - - files_list_var_lib($1) - admin_pattern($1, { munin_var_lib_t munin_plugin_state_t }) - - files_list_pids($1) - admin_pattern($1, munin_runtime_t) - - admin_pattern($1, httpd_munin_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `munin_admin'($*)) dnl - ') - -## Software watchdog. - -######################################## -## -## All of the rules required to -## administrate an watchdog environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`watchdog_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `watchdog_admin'($*)) dnl - - gen_require(` - type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t; - type watchdog_runtime_t; - ') - - allow $1 watchdog_t:process { ptrace signal_perms }; - ps_process_pattern($1, watchdog_t) - - init_startstop_service($1, $2, watchdog_t, watchdog_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, watchdog_log_t) - - files_search_pids($1) - admin_pattern($1, watchdog_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `watchdog_admin'($*)) dnl - ') - -## Red Hat Graphical Boot. - -######################################## -## -## RHGB stub interface. No access allowed. -## -## -## -## N/A -## -## -# - define(`rhgb_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_stub'($*)) dnl - - gen_require(` - type rhgb_t; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_stub'($*)) dnl - ') - - -######################################## -## -## Inherit and use rhgb file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`rhgb_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_use_fds'($*)) dnl - - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_use_fds'($*)) dnl - ') - - -######################################## -## -## Get the process group of rhgb. -## -## -## -## Domain allowed access. -## -## -# - define(`rhgb_getpgid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_getpgid'($*)) dnl - - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:process getpgid; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_getpgid'($*)) dnl - ') - - -######################################## -## -## Send generic signals to rhgb. -## -## -## -## Domain allowed access. -## -## -# - define(`rhgb_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_signal'($*)) dnl - - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_signal'($*)) dnl - ') - - -######################################## -## -## Read and write inherited rhgb unix -## domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`rhgb_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_rw_stream_sockets'($*)) dnl - - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## rhgb unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`rhgb_dontaudit_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_dontaudit_rw_stream_sockets'($*)) dnl - - gen_require(` - type rhgb_t; - ') - - dontaudit $1 rhgb_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_dontaudit_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Connected to rhgb with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rhgb_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_stream_connect'($*)) dnl - - gen_require(` - type rhgb_t, rhgb_tmpfs_t; - ') - - fs_search_tmpfs($1) - stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_stream_connect'($*)) dnl - ') - - -######################################## -## -## Read and write to rhgb shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`rhgb_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_rw_shm'($*)) dnl - - gen_require(` - type rhgb_t; - ') - - allow $1 rhgb_t:shm rw_shm_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_rw_shm'($*)) dnl - ') - - -######################################## -## -## Read and write rhgb pty devices. -## -## -## -## Domain allowed access. -## -## -# - define(`rhgb_use_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_use_ptys'($*)) dnl - - gen_require(` - type rhgb_devpts_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 rhgb_devpts_t:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_use_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write rhgb pty devices. -## -## -## -## Domain to not audit. -## -## -# - define(`rhgb_dontaudit_use_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_dontaudit_use_ptys'($*)) dnl - - gen_require(` - type rhgb_devpts_t; - ') - - dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_dontaudit_use_ptys'($*)) dnl - ') - - -######################################## -## -## Read and write to rhgb tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`rhgb_rw_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhgb_rw_tmpfs_files'($*)) dnl - - gen_require(` - type rhgb_tmpfs_t; - ') - - - fs_search_tmpfs($1) - allow $1 rhgb_tmpfs_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhgb_rw_tmpfs_files'($*)) dnl - ') - -## Bugtracker. - -######################################## -## -## Search bugzilla directories. -## -## -## -## Domain allowed access. -## -## -# - define(`bugzilla_search_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bugzilla_search_content'($*)) dnl - - gen_require(` - type httpd_bugzilla_content_t; - ') - - allow $1 httpd_bugzilla_content_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bugzilla_search_content'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write bugzilla script unix domain -## stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`bugzilla_dontaudit_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bugzilla_dontaudit_rw_stream_sockets'($*)) dnl - - gen_require(` - type httpd_bugzilla_script_t; - ') - - dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bugzilla_dontaudit_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an bugzilla environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bugzilla_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bugzilla_admin'($*)) dnl - - gen_require(` - type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; - type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; - type httpd_bugzilla_htaccess_t; - ') - - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_bugzilla_script_t) - - files_search_usr($1) - admin_pattern($1, httpd_bugzilla_script_exec_t) - admin_pattern($1, httpd_bugzilla_script_t) - admin_pattern($1, httpd_bugzilla_content_t) - admin_pattern($1, httpd_bugzilla_htaccess_t) - admin_pattern($1, httpd_bugzilla_ra_content_t) - - files_search_tmp($1) - files_search_var_lib($1) - admin_pattern($1, httpd_bugzilla_rw_content_t) - - apache_list_sys_content($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bugzilla_admin'($*)) dnl - ') - -## Squid caching http proxy server. - -######################################## -## -## Execute squid in the squid domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`squid_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_domtrans'($*)) dnl - - gen_require(` - type squid_t, squid_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, squid_exec_t, squid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute squid in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`squid_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_exec'($*)) dnl - - gen_require(` - type squid_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, squid_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_exec'($*)) dnl - ') - - -######################################## -## -## Send generic signals to squid. -## -## -## -## Domain allowed access. -## -## -# - define(`squid_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_signal'($*)) dnl - - gen_require(` - type squid_t; - ') - - allow $1 squid_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_signal'($*)) dnl - ') - - -######################################## -## -## Read and write squid unix -## domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`squid_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_rw_stream_sockets'($*)) dnl - - gen_require(` - type squid_t; - ') - - allow $1 squid_t:unix_stream_socket { getattr read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## squid cache directories. -## -## -## -## Domain to not audit. -## -## -## -# - define(`squid_dontaudit_search_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_dontaudit_search_cache'($*)) dnl - - gen_require(` - type squid_cache_t; - ') - - dontaudit $1 squid_cache_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_dontaudit_search_cache'($*)) dnl - ') - - -######################################## -## -## Read squid configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`squid_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_read_config'($*)) dnl - - gen_require(` - type squid_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, squid_conf_t, squid_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_read_config'($*)) dnl - ') - - -######################################## -## -## Read squid log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`squid_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_read_log'($*)) dnl - - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, squid_log_t, squid_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_read_log'($*)) dnl - ') - - -######################################## -## -## Append squid log files. -## -## -## -## Domain allowed access. -## -## -# - define(`squid_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_append_log'($*)) dnl - - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, squid_log_t, squid_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## squid log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`squid_manage_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_manage_logs'($*)) dnl - - gen_require(` - type squid_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, squid_log_t, squid_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_manage_logs'($*)) dnl - ') - - -######################################## -## -## dontaudit statting tmpfs files -## -## -## -## Domain to not be audited -## -## -## -# - define(`squid_dontaudit_read_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_dontaudit_read_tmpfs_files'($*)) dnl - - gen_require(` - type squid_tmpfs_t; - ') - - dontaudit $1 squid_tmpfs_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_dontaudit_read_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an squid environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`squid_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `squid_admin'($*)) dnl - - gen_require(` - type squid_t, squid_cache_t, squid_conf_t; - type squid_log_t, squid_runtime_t, squid_tmpfs_t; - type squid_initrc_exec_t, squid_tmp_t; - ') - - allow $1 squid_t:process { ptrace signal_perms }; - ps_process_pattern($1, squid_t) - - init_startstop_service($1, $2, squid_t, squid_initrc_exec_t) - - files_list_var($1) - admin_pattern($1, squid_cache_t) - - files_list_etc($1) - admin_pattern($1, squid_conf_t) - - logging_list_logs($1) - admin_pattern($1, squid_log_t) - - files_list_pids($1) - admin_pattern($1, squid_runtime_t) - - fs_list_tmpfs($1) - admin_pattern($1, squid_tmpfs_t) - - files_list_tmp($1) - admin_pattern($1, squid_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `squid_admin'($*)) dnl - ') - -## Document database server. - -######################################## -## -## Read couchdb log files. -## -## -## -## Domain allowed access. -## -## -# - define(`couchdb_read_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `couchdb_read_log_files'($*)) dnl - - gen_require(` - type couchdb_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, couchdb_log_t, couchdb_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `couchdb_read_log_files'($*)) dnl - ') - - -######################################## -## -## Read, write, and create couchdb lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`couchdb_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `couchdb_manage_lib_files'($*)) dnl - - gen_require(` - type couchdb_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `couchdb_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Read couchdb config files. -## -## -## -## Domain allowed access. -## -## -# - define(`couchdb_read_conf_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `couchdb_read_conf_files'($*)) dnl - - gen_require(` - type couchdb_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `couchdb_read_conf_files'($*)) dnl - ') - - -######################################## -## -## Read couchdb pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`couchdb_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `couchdb_read_pid_files'($*)) dnl - - gen_require(` - type couchdb_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, couchdb_runtime_t, couchdb_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `couchdb_read_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an couchdb environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`couchdb_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `couchdb_admin'($*)) dnl - - gen_require(` - type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; - type couchdb_log_t, couchdb_var_lib_t, couchdb_runtime_t; - type couchdb_tmp_t; - ') - - allow $1 couchdb_t:process { ptrace signal_perms }; - ps_process_pattern($1, couchdb_t) - - init_startstop_service($1, $2, couchdb_t, couchdb_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, couchdb_conf_t) - - logging_search_logs($1) - admin_pattern($1, couchdb_log_t) - - files_search_tmp($1) - admin_pattern($1, couchdb_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, couchdb_var_lib_t) - - files_search_pids($1) - admin_pattern($1, couchdb_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `couchdb_admin'($*)) dnl - ') - -## USB multiplexing daemon for communicating with Apple iPod Touch and iPhone. - -######################################## -## -## Execute a domain transition to run usbmuxd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`usbmuxd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usbmuxd_domtrans'($*)) dnl - - gen_require(` - type usbmuxd_t, usbmuxd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usbmuxd_domtrans'($*)) dnl - ') - - -##################################### -## -## Connect to usbmuxd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`usbmuxd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `usbmuxd_stream_connect'($*)) dnl - - gen_require(` - type usbmuxd_t, usbmuxd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, usbmuxd_runtime_t, usbmuxd_runtime_t, usbmuxd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `usbmuxd_stream_connect'($*)) dnl - ') - -## sound server for network audio server programs, nasd, yiff, etc - -######################################## -## -## All of the rules required to -## administrate an soundd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`soundserver_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `soundserver_admin'($*)) dnl - - gen_require(` - type soundd_t, soundd_etc_t, soundd_initrc_exec_t; - type soundd_tmp_t, soundd_runtime_t, soundd_tmpfs_t; - type soundd_state_t; - ') - - allow $1 soundd_t:process { ptrace signal_perms }; - ps_process_pattern($1, soundd_t) - - init_startstop_service($1, $2, soundd_t, soundd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, soundd_etc_t) - - files_list_tmp($1) - admin_pattern($1, soundd_tmp_t) - - fs_list_tmpfs($1) - admin_pattern($1, soundd_tmpfs_t) - - files_list_var($1) - admin_pattern($1, soundd_state_t) - - files_list_pids($1) - admin_pattern($1, soundd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `soundserver_admin'($*)) dnl - ') - -## instrumentation system for Linux. - -######################################## -## -## All of the rules required to -## administrate an stapserver environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`stapserver_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `stapserver_admin'($*)) dnl - - gen_require(` - type stapserver_t, stapserver_conf_t, stapserver_log_t; - type stapserver_runtime_t, stapserver_initrc_exec_t, stapserver_var_lib_t; - ') - - allow $1 stapserver_t:process { ptrace signal_perms }; - ps_process_pattern($1, stapserver_t) - - init_startstop_service($1, $2, stapserver_t, stapserver_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, stapserver_conf_t) - - files_search_var_lib($1) - admin_pattern($1, stapserver_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, stapserver_log_t) - - files_search_pids($1) - admin_pattern($1, stapserver_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `stapserver_admin'($*)) dnl - ') - -## IIIMF htt server. - -######################################## -## -## All of the rules required to -## administrate an i18n input environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`i18n_input_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `i18n_input_admin'($*)) dnl - - gen_require(` - type i18n_input_t, i18n_input_initrc_exec_t, i18n_input_runtime_t; - type i18n_input_log_t; - ') - - allow $1 i18n_input_t:process { ptrace signal_perms }; - ps_process_pattern($1, i18n_input_t) - - init_startstop_service($1, $2, i18n_input_t, i18n_input_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, i18n_input_runtime_t) - - logging_search_logs($1) - admin_pattern($1, i18n_input_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `i18n_input_admin'($*)) dnl - ') - -## Console network traffic monitor. - -######################################## -## -## Execute a domain transition to run vnstat. -## -## -## -## Domain allowed to transition. -## -## -# - define(`vnstatd_domtrans_vnstat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vnstatd_domtrans_vnstat'($*)) dnl - - gen_require(` - type vnstat_t, vnstat_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vnstat_exec_t, vnstat_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vnstatd_domtrans_vnstat'($*)) dnl - ') - - -######################################## -## -## Execute vnstat in the vnstat domain, -## and allow the specified role -## the vnstat domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`vnstatd_run_vnstat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vnstatd_run_vnstat'($*)) dnl - - gen_require(` - attribute_role vnstat_roles; - ') - - vnstatd_domtrans_vnstat($1) - roleattribute $2 vnstat_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vnstatd_run_vnstat'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run vnstatd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`vnstatd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vnstatd_domtrans'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_t, vnstatd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vnstatd_domtrans'($*)) dnl - ') - - -######################################## -## -## Search vnstatd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`vnstatd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vnstatd_search_lib'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 vnstatd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vnstatd_search_lib'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## vnstatd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`vnstatd_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vnstatd_manage_lib_dirs'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vnstatd_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Read vnstatd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`vnstatd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vnstatd_read_lib_files'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vnstatd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## vnstatd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`vnstatd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vnstatd_manage_lib_files'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - gen_require(` - type vnstatd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vnstatd_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an vnstatd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`vnstatd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vnstatd_admin'($*)) dnl - - gen_require(` - type vnstatd_t, vnstatd_initrc_exec_t; - type vnstatd_pid_t, vnstatd_unit_t, vnstatd_var_lib_t; - ') - - admin_process_pattern($1, vnstatd_t) - - init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t, vnstatd_unit_t) - - files_search_pids($1) - admin_pattern($1, vnstatd_pid_t) - - files_list_var_lib($1) - admin_pattern($1, vnstatd_var_lib_t) - - vnstatd_run_vnstat($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vnstatd_admin'($*)) dnl - ') - -## Ethernet activity monitor. - -######################################## -## -## Execute arpwatch server in the -## arpwatch domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`arpwatch_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `arpwatch_initrc_domtrans'($*)) dnl - - gen_require(` - type arpwatch_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `arpwatch_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Search arpwatch data file directories. -## -## -## -## Domain allowed access. -## -## -# - define(`arpwatch_search_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `arpwatch_search_data'($*)) dnl - - gen_require(` - type arpwatch_data_t; - ') - - files_search_var_lib($1) - allow $1 arpwatch_data_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `arpwatch_search_data'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## arpwatch data files. -## -## -## -## Domain allowed access. -## -## -# - define(`arpwatch_manage_data_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `arpwatch_manage_data_files'($*)) dnl - - gen_require(` - type arpwatch_data_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `arpwatch_manage_data_files'($*)) dnl - ') - - -######################################## -## -## Read and write arpwatch temporary -## files. -## -## -## -## Domain allowed access. -## -## -# - define(`arpwatch_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `arpwatch_rw_tmp_files'($*)) dnl - - gen_require(` - type arpwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 arpwatch_tmp_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `arpwatch_rw_tmp_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## arpwatch temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`arpwatch_manage_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `arpwatch_manage_tmp_files'($*)) dnl - - gen_require(` - type arpwatch_tmp_t; - ') - - files_search_tmp($1) - allow $1 arpwatch_tmp_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `arpwatch_manage_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write arpwatch packet sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`arpwatch_dontaudit_rw_packet_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `arpwatch_dontaudit_rw_packet_sockets'($*)) dnl - - gen_require(` - type arpwatch_t; - ') - - dontaudit $1 arpwatch_t:packet_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `arpwatch_dontaudit_rw_packet_sockets'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an arpwatch environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`arpwatch_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `arpwatch_admin'($*)) dnl - - gen_require(` - type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; - type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t; - ') - - admin_process_pattern($1, arpwatch_t) - - init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t) - - files_search_tmp($1) - admin_pattern($1, arpwatch_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, arpwatch_data_t) - - files_search_pids($1) - admin_pattern($1, arpwatch_pid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `arpwatch_admin'($*)) dnl - ') - -## Periodic execution of scheduled commands. - -####################################### -## -## The template to define a crontab domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`cron_common_crontab_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_common_crontab_template'($*)) dnl - - gen_require(` - attribute crontab_domain; - type crontab_exec_t; - ') - - ############################## - # - # Declarations - # - - type $1_t, crontab_domain; - userdom_user_application_domain($1_t, crontab_exec_t) - - type $1_tmp_t; - userdom_user_tmp_file($1_tmp_t) - - ############################## - # - # Local policy - # - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) - - auth_domtrans_chk_passwd($1_t) - auth_use_nsswitch($1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_common_crontab_template'($*)) dnl - ') - - -######################################## -## -## Role access for cron. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -## -# - define(`cron_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_role'($*)) dnl - - gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t, crond_t; - bool cron_userdomain_transition; - ') - - ############################## - # - # Declarations - # - - role $1 types { cronjob_t crontab_t }; - - ############################## - # - # Local policy - # - - domtrans_pattern($2, crontab_exec_t, crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) - - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; - - allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; - - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; - - dontaudit $2 user_cron_spool_t:file entrypoint; - - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; - ') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(cronjob_t) - - allow cronjob_t $2:dbus send_msg; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_role'($*)) dnl - ') - - -######################################## -## -## Role access for unconfined cron. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`cron_unconfined_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_unconfined_role'($*)) dnl - - gen_require(` - type unconfined_cronjob_t, crontab_t, crontab_exec_t; - type crond_t, user_cron_spool_t; - bool cron_userdomain_transition; - ') - - ############################## - # - # Declarations - # - - role $1 types { unconfined_cronjob_t crontab_t }; - - ############################## - # - # Local policy - # - - domtrans_pattern($2, crontab_exec_t, crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) - - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; - - allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; - - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, unconfined_cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; - - dontaudit $2 user_cron_spool_t:file entrypoint; - - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; -') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(unconfined_cronjob_t) - - allow unconfined_cronjob_t $2:dbus send_msg; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_unconfined_role'($*)) dnl - ') - - -######################################## -## -## Role access for admin cron. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`cron_admin_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_admin_role'($*)) dnl - - gen_require(` - type cronjob_t, crontab_exec_t, admin_crontab_t; - class passwd crontab; - type crond_t, crond_runtime_t, user_cron_spool_t; - bool cron_userdomain_transition, fcron_crond; - ') - - ############################## - # - # Declarations - # - - role $1 types { cronjob_t admin_crontab_t }; - - ############################## - # - # Local policy - # - - domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 admin_crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, admin_crontab_t) - - # Manipulate other users crontab. - allow $2 self:passwd crontab; - - corecmd_exec_bin(admin_crontab_t) - corecmd_exec_shell(admin_crontab_t) - - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; - - allow $2 user_cron_spool_t:file entrypoint; - - allow $2 crond_t:fifo_file rw_fifo_file_perms; - - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; - - dontaudit $2 user_cron_spool_t:file entrypoint; - - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; - ') - - tunable_policy(`fcron_crond',` - # Support for fcrondyn - stream_connect_pattern($2, crond_runtime_t, crond_runtime_t, crond_t) - ') - - optional_policy(` - gen_require(` - class dbus send_msg; - ') - - dbus_stub(admin_cronjob_t) - - allow cronjob_t $2:dbus send_msg; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_admin_role'($*)) dnl - ') - - -######################################## -## -## Make the specified program domain -## accessable from the system cron jobs. -## -## -## -## The type of the process to transition to. -## -## -## -## -## The type of the file used as an entrypoint to this domain. -## -## -# - define(`cron_system_entry',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_system_entry'($*)) dnl - - gen_require(` - type crond_t, system_cronjob_t; - ') - - domtrans_pattern(system_cronjob_t, $2, $1) - domtrans_pattern(crond_t, $2, $1) - - role system_r types $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_system_entry'($*)) dnl - ') - - -######################################## -## -## Execute cron in the cron system domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cron_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_domtrans'($*)) dnl - - gen_require(` - type system_cronjob_t, crond_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, crond_exec_t, system_cronjob_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute crond in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_exec'($*)) dnl - - gen_require(` - type crond_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, crond_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_exec'($*)) dnl - ') - - -######################################## -## -## Execute crond server in the crond domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cron_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_initrc_domtrans'($*)) dnl - - gen_require(` - type crond_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, crond_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Use crond file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_use_fds'($*)) dnl - - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_use_fds'($*)) dnl - ') - - -######################################## -## -## Send child terminated signals to crond. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_sigchld'($*)) dnl - - gen_require(` - type crond_t; - ') - - allow $1 crond_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_sigchld'($*)) dnl - ') - - -######################################## -## -## Set the attributes of cron log files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_setattr_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_setattr_log_files'($*)) dnl - - gen_require(` - type cron_log_t; - ') - - allow $1 cron_log_t:file setattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_setattr_log_files'($*)) dnl - ') - - -######################################## -## -## Create cron log files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_create_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_create_log_files'($*)) dnl - - gen_require(` - type cron_log_t; - ') - - create_files_pattern($1, cron_log_t, cron_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_create_log_files'($*)) dnl - ') - - -######################################## -## -## Write to cron log files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_write_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_write_log_files'($*)) dnl - - gen_require(` - type cron_log_t; - ') - - allow $1 cron_log_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_write_log_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write and delete -## cron log files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_manage_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_manage_log_files'($*)) dnl - - gen_require(` - type cron_log_t; - ') - - manage_files_pattern($1, cron_log_t, cron_log_t) - - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_manage_log_files'($*)) dnl - ') - - -######################################## -## -## Create specified objects in generic -## log directories with the cron log file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`cron_generic_log_filetrans_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_generic_log_filetrans_log'($*)) dnl - - gen_require(` - type cron_log_t; - ') - - logging_log_filetrans($1, cron_log_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_generic_log_filetrans_log'($*)) dnl - ') - - -######################################## -## -## Read cron daemon unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_read_pipes'($*)) dnl - - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_read_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write -## cron daemon unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`cron_dontaudit_write_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_dontaudit_write_pipes'($*)) dnl - - gen_require(` - type crond_t; - ') - - dontaudit $1 crond_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_dontaudit_write_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write crond unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_rw_pipes'($*)) dnl - - gen_require(` - type crond_t; - ') - - allow $1 crond_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write crond TCP sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_rw_tcp_sockets'($*)) dnl - - gen_require(` - type crond_t; - ') - - allow $1 crond_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write cron daemon TCP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`cron_dontaudit_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_dontaudit_rw_tcp_sockets'($*)) dnl - - gen_require(` - type crond_t; - ') - - dontaudit $1 crond_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_dontaudit_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Search cron spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_search_spool'($*)) dnl - - gen_require(` - type cron_spool_t; - ') - - files_search_spool($1) - allow $1 cron_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_search_spool'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## crond pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_manage_pid_files'($*)) dnl - - gen_require(` - type crond_runtime_t; - ') - - manage_files_pattern($1, crond_runtime_t, crond_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Execute anacron in the cron -## system domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cron_anacron_domtrans_system_job',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_anacron_domtrans_system_job'($*)) dnl - - gen_require(` - type system_cronjob_t, anacron_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, anacron_exec_t, system_cronjob_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_anacron_domtrans_system_job'($*)) dnl - ') - - -######################################## -## -## Use system cron job file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_use_system_job_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_use_system_job_fds'($*)) dnl - - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_use_system_job_fds'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete the system spool. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_manage_system_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_manage_system_spool'($*)) dnl - - gen_require(` - type system_cron_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_manage_system_spool'($*)) dnl - ') - - -######################################## -## -## Read the system spool. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_read_system_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_read_system_spool'($*)) dnl - - gen_require(` - type system_cron_spool_t; - ') - - cron_search_spool($1) - list_dirs_pattern($1, system_cron_spool_t, system_cron_spool_t) - read_files_pattern($1, system_cron_spool_t, system_cron_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_read_system_spool'($*)) dnl - ') - - -######################################## -## -## Read and write crond temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_rw_tmp_files'($*)) dnl - - gen_require(` - type crond_tmp_t; - ') - - allow $1 crond_tmp_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_rw_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read system cron job lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_read_system_job_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_read_system_job_lib_files'($*)) dnl - - gen_require(` - type system_cronjob_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_read_system_job_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## system cron job lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_manage_system_job_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_manage_system_job_lib_files'($*)) dnl - - gen_require(` - type system_cronjob_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_manage_system_job_lib_files'($*)) dnl - ') - - -######################################## -## -## Write system cron job unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_write_system_job_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_write_system_job_pipes'($*)) dnl - - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_write_system_job_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write system cron job -## unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_rw_system_job_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_rw_system_job_pipes'($*)) dnl - - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_rw_system_job_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write inherited system cron -## job unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_rw_system_job_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_rw_system_job_stream_sockets'($*)) dnl - - gen_require(` - type system_cronjob_t; - ') - - allow $1 system_cronjob_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_rw_system_job_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Read system cron job temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_read_system_job_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_read_system_job_tmp_files'($*)) dnl - - gen_require(` - type system_cronjob_tmp_t; - ') - - files_search_tmp($1) - allow $1 system_cronjob_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_read_system_job_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to append temporary -## system cron job files. -## -## -## -## Domain to not audit. -## -## -# - define(`cron_dontaudit_append_system_job_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_dontaudit_append_system_job_tmp_files'($*)) dnl - - gen_require(` - type system_cronjob_tmp_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_dontaudit_append_system_job_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read and write to inherited system cron job temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`cron_rw_inherited_system_job_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_rw_inherited_system_job_tmp_files'($*)) dnl - - gen_require(` - type system_cronjob_tmp_t; - ') - - allow $1 system_cronjob_tmp_t:file rw_inherited_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_rw_inherited_system_job_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write temporary -## system cron job files. -## -## -## -## Domain to not audit. -## -## -# - define(`cron_dontaudit_write_system_job_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_dontaudit_write_system_job_tmp_files'($*)) dnl - - gen_require(` - type system_cronjob_tmp_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_dontaudit_write_system_job_tmp_files'($*)) dnl - ') - - -######################################## -## -## Execute crontab in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`cron_exec_crontab',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_exec_crontab'($*)) dnl - - gen_require(` - type crontab_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, crontab_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_exec_crontab'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate a cron environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cron_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cron_admin'($*)) dnl - - gen_require(` - type crond_t, cronjob_t, crond_initrc_exec_t; - type cron_var_lib_t, system_cronjob_var_lib_t; - type crond_tmp_t, admin_crontab_tmp_t; - type crontab_tmp_t, system_cronjob_tmp_t; - type cron_runtime_t, system_cronjob_runtime_t, crond_runtime_t; - type cron_log_t, system_cronjob_lock_t, user_cron_spool_log_t; - attribute cron_spool_type; - ') - - allow $1 { crond_t cronjob_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { crond_t cronjob_t }) - - init_startstop_service($1, $2, crond_t, crond_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, { cron_var_lib_t system_cronjob_var_lib_t }) - - files_search_tmp($1) - admin_pattern($1, { crond_tmp_t admin_crontab_tmp_t }) - admin_pattern($1, { crontab_tmp_t system_cronjob_tmp_t }) - - files_search_pids($1) - admin_pattern($1, { cron_runtime_t crond_runtime_t system_cronjob_runtime_t }) - - files_search_locks($1) - admin_pattern($1, system_cronjob_lock_t) - - logging_search_logs($1) - admin_pattern($1, { cron_log_t user_cron_spool_log_t }) - - files_search_spool($1) - admin_pattern($1, cron_spool_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cron_admin'($*)) dnl - ') - -## Aisexec Cluster Engine. - -######################################## -## -## Execute a domain transition to run aisexec. -## -## -## -## Domain allowed to transition. -## -## -# - define(`aisexec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aisexec_domtrans'($*)) dnl - - gen_require(` - type aisexec_t, aisexec_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, aisexec_exec_t, aisexec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aisexec_domtrans'($*)) dnl - ') - - -##################################### -## -## Connect to aisexec over a unix -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`aisexec_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aisexec_stream_connect'($*)) dnl - - gen_require(` - type aisexec_t, aisexec_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, aisexec_runtime_t, aisexec_runtime_t, aisexec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aisexec_stream_connect'($*)) dnl - ') - - -####################################### -## -## Read aisexec log files content. -## -## -## -## Domain allowed access. -## -## -# - define(`aisexec_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aisexec_read_log'($*)) dnl - - gen_require(` - type aisexec_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) - read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aisexec_read_log'($*)) dnl - ') - - -###################################### -## -## All of the rules required to -## administrate an aisexec environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`aisexecd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aisexecd_admin'($*)) dnl - - gen_require(` - type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; - type aisexec_runtime_t, aisexec_tmp_t, aisexec_tmpfs_t; - type aisexec_initrc_exec_t; - ') - - allow $1 aisexec_t:process { ptrace signal_perms }; - ps_process_pattern($1, aisexec_t) - - init_startstop_service($1, $2, aisexec_t, aisexec_initrc_exec_t) - - files_list_var_lib($1) - admin_pattern($1, aisexec_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, aisexec_var_log_t) - - files_list_pids($1) - admin_pattern($1, aisexec_runtime_t) - - files_list_tmp($1) - admin_pattern($1, aisexec_tmp_t) - - admin_pattern($1, aisexec_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aisexecd_admin'($*)) dnl - ') - -## Reports on various system states. - -######################################## -## -## Create, read, write, and delete -## sysstat log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sysstat_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysstat_manage_log'($*)) dnl - - gen_require(` - type sysstat_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, sysstat_log_t, sysstat_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysstat_manage_log'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an sysstat environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sysstat_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysstat_admin'($*)) dnl - - gen_require(` - type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t; - ') - - allow $1 sysstat_t:process { ptrace signal_perms }; - ps_process_pattern($1, sysstat_t) - - init_startstop_service($1, $2, sysstat_t, sysstat_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, sysstat_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysstat_admin'($*)) dnl - ') - -## Resource management daemon. - -######################################## -## -## Connect to resmgrd over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`resmgr_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `resmgr_stream_connect'($*)) dnl - - gen_require(` - type resmgrd_runtime_t, resmgrd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, resmgrd_runtime_t, resmgrd_runtime_t, resmgrd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `resmgr_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an resmgr environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`resmgr_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `resmgr_admin'($*)) dnl - - gen_require(` - type resmgrd_t, resmgrd_initrc_exec_t, resmgrd_runtime_t; - type resmgrd_etc_t; - ') - - allow $1 resmgrd_t:process { ptrace signal_perms }; - ps_process_pattern($1, resmgrd_t) - - init_startstop_service($1, $2, resmgrd_t, resmgrd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, resmgrd_etc_t) - - files_search_pids($1) - admin_pattern($1, resmgrd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `resmgr_admin'($*)) dnl - ') - -## Clustered Database based on Samba Trivial Database. - -######################################## -## -## Create, read, write, and delete -## ctdbd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`ctdbd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ctdbd_manage_lib_files'($*)) dnl - - gen_require(` - type ctdbd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ctdbd_manage_lib_files'($*)) dnl - ') - - -####################################### -## -## Connect to ctdbd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`ctdbd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ctdbd_stream_connect'($*)) dnl - - gen_require(` - type ctdbd_t, ctdbd_runtime_t, ctdbd_tmp_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_runtime_t }, { ctdbd_tmp_t ctdbd_runtime_t }, ctdbd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ctdbd_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ctdb environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ctdb_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ctdb_admin'($*)) dnl - - gen_require(` - type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t; - type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_runtime_t; - ') - - allow $1 ctdbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ctdbd_t) - - init_startstop_service($1, $2, ctdbd_t, ctdbd_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, ctdbd_log_t) - - files_search_tmp($1) - admin_pattern($1, ctdbd_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, ctdbd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, ctdbd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ctdb_admin'($*)) dnl - ') - -## Scalable, high-performance, open source NoSQL database. - -######################################## -## -## All of the rules required to -## administrate an mongodb environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mongodb_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mongodb_admin'($*)) dnl - - gen_require(` - type mongod_t, mongod_initrc_exec_t, mongod_log_t; - type mongod_var_lib_t, mongod_runtime_t; - ') - - allow $1 mongod_t:process { ptrace signal_perms }; - ps_process_pattern($1, mongod_t) - - init_startstop_service($1, $2, mongod_t, mongod_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, mongod_log_t) - - files_search_var_lib($1) - admin_pattern($1, mongod_var_lib_t) - - files_search_pids($1) - admin_pattern($1, mongod_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mongodb_admin'($*)) dnl - ') - -## Smart disk monitoring daemon. - -####################################### -## -## Read smartmon temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`smartmon_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smartmon_read_tmp_files'($*)) dnl - - gen_require(` - type fsdaemon_tmp_t; - ') - - files_search_tmp($1) - allow $1 fsdaemon_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smartmon_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an smartmon environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`smartmon_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smartmon_admin'($*)) dnl - - gen_require(` - type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_runtime_t; - type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; - ') - - allow $1 fsdaemon_t:process { ptrace signal_perms }; - ps_process_pattern($1, fsdaemon_t) - - init_startstop_service($1, $2, fsdaemon_t, fsdaemon_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, fsdaemon_tmp_t) - - files_list_pids($1) - admin_pattern($1, fsdaemon_runtime_t) - - files_list_var_lib($1) - admin_pattern($1, fsdaemon_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smartmon_admin'($*)) dnl - ') - -## Snort network intrusion detection system. - -######################################## -## -## Execute a domain transition to run snort. -## -## -## -## Domain allowed to transition. -## -## -# - define(`snort_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snort_domtrans'($*)) dnl - - gen_require(` - type snort_t, snort_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, snort_exec_t, snort_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snort_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an snort environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`snort_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snort_admin'($*)) dnl - - gen_require(` - type snort_t, snort_runtime_t, snort_log_t; - type snort_etc_t, snort_initrc_exec_t; - ') - - allow $1 snort_t:process { ptrace signal_perms }; - ps_process_pattern($1, snort_t) - - init_startstop_service($1, $2, snort_t, snort_initrc_exec_t) - - admin_pattern($1, snort_etc_t) - files_search_etc($1) - - admin_pattern($1, snort_log_t) - logging_search_logs($1) - - admin_pattern($1, snort_runtime_t) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snort_admin'($*)) dnl - ') - -## Virtual host metrics daemon. - -######################################## -## -## Execute a domain transition to run vhostmd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`vhostmd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_domtrans'($*)) dnl - - gen_require(` - type vhostmd_t, vhostmd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute vhostmd init scripts in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`vhostmd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_initrc_domtrans'($*)) dnl - - gen_require(` - type vhostmd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read vhostmd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`vhostmd_read_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_read_tmpfs_files'($*)) dnl - - gen_require(` - type vhostmd_tmpfs_t; - ') - - fs_search_tmpfs($1) - allow $1 vhostmd_tmpfs_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_read_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read -## vhostmd tmpfs files -## -## -## -## Domain to not audit. -## -## -# - define(`vhostmd_dontaudit_read_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_dontaudit_read_tmpfs_files'($*)) dnl - - gen_require(` - type vhostmd_tmpfs_t; - ') - - dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_dontaudit_read_tmpfs_files'($*)) dnl - ') - - -####################################### -## -## Read and write vhostmd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`vhostmd_rw_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_rw_tmpfs_files'($*)) dnl - - gen_require(` - type vhostmd_tmpfs_t; - ') - - fs_search_tmpfs($1) - rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_rw_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## vhostmd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`vhostmd_manage_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_manage_tmpfs_files'($*)) dnl - - gen_require(` - type vhostmd_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_manage_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Read vhostmd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`vhostmd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_read_pid_files'($*)) dnl - - gen_require(` - type vhostmd_runtime_t; - ') - - files_search_pids($1) - allow $1 vhostmd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## vhostmd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`vhostmd_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_manage_pid_files'($*)) dnl - - gen_require(` - type vhostmd_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, vhostmd_runtime_t, vhostmd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to vhostmd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`vhostmd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_stream_connect'($*)) dnl - - gen_require(` - type vhostmd_t, vhostmd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, vhostmd_runtime_t, vhostmd_runtime_t, vhostmd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_stream_connect'($*)) dnl - ') - - -####################################### -## -## Do not audit attempts to read and -## write vhostmd unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`vhostmd_dontaudit_rw_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_dontaudit_rw_stream_connect'($*)) dnl - - gen_require(` - type vhostmd_t; - ') - - dontaudit $1 vhostmd_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_dontaudit_rw_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an vhostmd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`vhostmd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vhostmd_admin'($*)) dnl - - gen_require(` - type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_runtime_t; - type vhostmd_tmpfs_t; - ') - - allow $1 vhostmd_t:process { ptrace signal_perms }; - ps_process_pattern($1, vhostmd_t) - - init_startstop_service($1, $2, vhostmd_t, vhostmd_initrc_exec_t) - - fs_search_tmpfs($1) - admin_pattern($1, vhostmd_tmpfs_t) - - files_search_pids($1) - admin_pattern($1, vhostmd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vhostmd_admin'($*)) dnl - ') - -## Finger user information service. - -######################################## -## -## Execute fingerd in the fingerd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`finger_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `finger_domtrans'($*)) dnl - - gen_require(` - type fingerd_t, fingerd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fingerd_exec_t, fingerd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `finger_domtrans'($*)) dnl - ') - -## Daemon used by MiniUPnPc to speed up device discoveries. - -######################################## -## -## Read minissdpd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`minissdpd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `minissdpd_read_config'($*)) dnl - - gen_require(` - type minissdpd_conf_t; - ') - - files_search_etc($1) - allow $1 minissdpd_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `minissdpd_read_config'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an minissdpd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`minissdpd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `minissdpd_admin'($*)) dnl - - gen_require(` - type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t; - type minissdpd_runtime_t; - ') - - allow $1 minissdpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, minissdpd_t) - - init_startstop_service($1, $2, minissdpd_t, minissdpd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, minissdpd_conf_t) - - files_search_pids($1) - admin_pattern($1, minissdpd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `minissdpd_admin'($*)) dnl - ') - -## libcg is a library that abstracts the control group file system in Linux. - -######################################## -## -## Execute a domain transition to run -## CG Clear. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cgroup_domtrans_cgclear',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgclear'($*)) dnl - - gen_require(` - type cgclear_t, cgclear_exec_t; - ') - - domtrans_pattern($1, cgclear_exec_t, cgclear_t) - corecmd_search_bin($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgclear'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run -## CG config parser. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cgroup_domtrans_cgconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgconfig'($*)) dnl - - gen_require(` - type cgconfig_t, cgconfig_exec_t; - ') - - domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) - corecmd_search_bin($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgconfig'($*)) dnl - ') - - -######################################## -## -## Execute CG config init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cgroup_initrc_domtrans_cgconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgroup_initrc_domtrans_cgconfig'($*)) dnl - - gen_require(` - type cgconfig_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgroup_initrc_domtrans_cgconfig'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run -## CG rules engine daemon. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cgroup_domtrans_cgred',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgred'($*)) dnl - - gen_require(` - type cgred_t, cgred_exec_t; - ') - - domtrans_pattern($1, cgred_exec_t, cgred_t) - corecmd_search_bin($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgred'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run -## CG rules engine daemon. -## domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cgroup_initrc_domtrans_cgred',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgroup_initrc_domtrans_cgred'($*)) dnl - - gen_require(` - type cgred_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cgred_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgroup_initrc_domtrans_cgred'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run CG Clear and allow the -## specified role the CG Clear -## domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cgroup_run_cgclear',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgroup_run_cgclear'($*)) dnl - - gen_require(` - type cgclear_t; - ') - - cgroup_domtrans_cgclear($1) - role $2 types cgclear_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgroup_run_cgclear'($*)) dnl - ') - - -######################################## -## -## Connect to CG rules engine daemon -## over unix stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`cgroup_stream_connect_cgred',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgroup_stream_connect_cgred'($*)) dnl - - gen_require(` - type cgred_runtime_t, cgred_t; - ') - - stream_connect_pattern($1, cgred_runtime_t, cgred_runtime_t, cgred_t) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgroup_stream_connect_cgred'($*)) dnl - ') - - -######################################## -## -## All of the rules required to administrate -## an cgroup environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cgroup_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgroup_admin'($*)) dnl - - gen_require(` - type cgred_t, cgconfig_t, cgred_runtime_t; - type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; - type cgrules_etc_t, cgclear_t; - ') - - allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) - - admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) - files_list_etc($1) - - admin_pattern($1, cgred_runtime_t) - files_list_pids($1) - - init_startstop_service($1, $2, cgred_t, cgred_initrc_exec_t) - init_startstop_service($1, $2, cgconfig_t, cgconfig_initrc_exec_t) - - cgroup_run_cgclear($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgroup_admin'($*)) dnl - ') - -## Pingd of the Whatsup cluster node up/down detection utility. - -######################################## -## -## Execute a domain transition to run pingd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`pingd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pingd_domtrans'($*)) dnl - - gen_require(` - type pingd_t, pingd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pingd_exec_t, pingd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pingd_domtrans'($*)) dnl - ') - - -####################################### -## -## Read pingd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`pingd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pingd_read_config'($*)) dnl - - gen_require(` - type pingd_etc_t; - ') - - files_search_etc($1) - allow $1 pingd_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pingd_read_config'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## pingd etc configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`pingd_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pingd_manage_config'($*)) dnl - - gen_require(` - type pingd_etc_t; - ') - - files_search_etc($1) - allow $1 pingd_etc_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pingd_manage_config'($*)) dnl - ') - - -####################################### -## -## All of the rules required to -## administrate an pingd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pingd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pingd_admin'($*)) dnl - - gen_require(` - type pingd_t, pingd_etc_t, pingd_modules_t; - type pingd_initrc_exec_t; - ') - - allow $1 pingd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pingd_t) - - init_startstop_service($1, $2, pingd_t, pingd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, pingd_etc_t) - - files_list_usr($1) - admin_pattern($1, pingd_modules_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pingd_admin'($*)) dnl - ') - -## Enables DNSSEC protection for DNS traffic. - -######################################## -## -## All of the rules required to -## administrate an dnssec environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dnssectrigger_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnssectrigger_admin'($*)) dnl - - gen_require(` - type dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t, dnssec_trigger_conf_t; - type dnssec_trigger_log_t, dnssec_triggerd_runtime_t; - ') - - allow $1 dnssec_triggerd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dnssec_triggerd_t) - - init_startstop_service($1, $2, dnssec_triggerd_t, dnssec_triggerd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, dnssec_trigger_conf_t) - - logging_search_logs($1) - admin_pattern($1, dnssec_trigger_log_t) - - files_search_pids($1) - admin_pattern($1, dnssec_triggerd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnssectrigger_admin'($*)) dnl - ') - -## Music Player Daemon. - -######################################## -## -## Execute a domain transition to run mpd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mpd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_domtrans'($*)) dnl - - gen_require(` - type mpd_t, mpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mpd_exec_t, mpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute mpd server in the mpd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mpd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_initrc_domtrans'($*)) dnl - - gen_require(` - type mpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, mpd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_initrc_domtrans'($*)) dnl - ') - - -####################################### -## -## Read mpd data files. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_read_data_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_read_data_files'($*)) dnl - - gen_require(` - type mpd_data_t; - ') - - mpd_search_lib($1) - read_files_pattern($1, mpd_data_t, mpd_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_read_data_files'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## mpd data files. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_manage_data_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_manage_data_files'($*)) dnl - - gen_require(` - type mpd_data_t; - ') - - mpd_search_lib($1) - manage_files_pattern($1, mpd_data_t, mpd_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_manage_data_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mpd user data content. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_manage_user_data_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_manage_user_data_content'($*)) dnl - - gen_require(` - type mpd_user_data_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mpd_user_data_t:dir manage_dir_perms; - allow $1 mpd_user_data_t:file manage_file_perms; - allow $1 mpd_user_data_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_manage_user_data_content'($*)) dnl - ') - - -######################################## -## -## Relabel mpd user data content. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_relabel_user_data_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_relabel_user_data_content'($*)) dnl - - gen_require(` - type mpd_user_data_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mpd_user_data_t:dir relabel_dir_perms; - allow $1 mpd_user_data_t:file relabel_file_perms; - allow $1 mpd_user_data_t:lnk_file relabel_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_relabel_user_data_content'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the mpd user data type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mpd_home_filetrans_user_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_home_filetrans_user_data'($*)) dnl - - gen_require(` - type mpd_user_data_t; - ') - - userdom_user_home_dir_filetrans($1, mpd_user_data_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_home_filetrans_user_data'($*)) dnl - ') - - -####################################### -## -## Read mpd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_read_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_read_tmpfs_files'($*)) dnl - - gen_require(` - type mpd_tmpfs_t; - ') - - fs_search_tmpfs($1) - read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_read_tmpfs_files'($*)) dnl - ') - - -################################### -## -## Create, read, write, and delete -## mpd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_manage_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_manage_tmpfs_files'($*)) dnl - - gen_require(` - type mpd_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) - manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_manage_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Search mpd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_search_lib'($*)) dnl - - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 mpd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_search_lib'($*)) dnl - ') - - -######################################## -## -## Read mpd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_read_lib_files'($*)) dnl - - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mpd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_manage_lib_files'($*)) dnl - - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_manage_lib_files'($*)) dnl - ') - - -####################################### -## -## Create specified objects in mpd -## lib directories with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mpd_var_lib_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_var_lib_filetrans'($*)) dnl - - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, mpd_var_lib_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_var_lib_filetrans'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mpd lib dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`mpd_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_manage_lib_dirs'($*)) dnl - - gen_require(` - type mpd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an mpd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mpd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mpd_admin'($*)) dnl - - gen_require(` - type mpd_t, mpd_initrc_exec_t, mpd_etc_t; - type mpd_data_t, mpd_log_t, mpd_var_lib_t; - type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; - ') - - allow $1 mpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, mpd_t) - - init_startstop_service($1, $2, mpd_t, mpd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, mpd_etc_t) - - files_search_var_lib($1) - admin_pattern($1, { mpd_data_t mpd_user_data_t mpd_var_lib_t }) - - logging_search_logs($1) - admin_pattern($1, mpd_log_t) - - files_search_tmp($1) - admin_pattern($1, mpd_tmp_t) - - fs_search_tmpfs($1) - admin_pattern($1, mpd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mpd_admin'($*)) dnl - ') - -## MiniDLNA lightweight DLNA/UPnP media server - -######################################## -## -## All of the rules required to -## administrate an minidlna environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`minidlna_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `minidlna_admin'($*)) dnl - - gen_require(` - type minidlna_t, minidlna_runtime_t, minidlna_initrc_exec_t; - type minidlna_conf_t, minidlna_log_t, minidlna_db_t; - ') - - allow $1 minidlna_t:process { ptrace signal_perms }; - ps_process_pattern($1, minidlna_t) - - init_startstop_service($1, $2, minidlna_t, minidlna_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, minidlna_conf_t) - - logging_search_logs($1) - admin_pattern($1, minidlna_log_t) - - files_search_var_lib($1) - admin_pattern($1, minidlna_db_t) - - files_search_pids($1) - admin_pattern($1, minidlna_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `minidlna_admin'($*)) dnl - ') - - -######################################## -## -## Execute minidlna init scripts in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`minidlna_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `minidlna_initrc_domtrans'($*)) dnl - - gen_require(` - type minidlna_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, minidlna_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `minidlna_initrc_domtrans'($*)) dnl - ') - -## Advanced power management. - -######################################## -## -## Execute apm in the apm domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`acpi_domtrans_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acpi_domtrans_client'($*)) dnl - - gen_require(` - type acpi_t, acpi_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, acpi_exec_t, acpi_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acpi_domtrans_client'($*)) dnl - ') - - -######################################## -## -## Execute apm in the apm domain -## and allow the specified role -## the apm domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`acpi_run_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acpi_run_client'($*)) dnl - - gen_require(` - attribute_role acpi_roles; - ') - - acpi_domtrans_client($1) - roleattribute $2 acpi_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acpi_run_client'($*)) dnl - ') - - -######################################## -## -## Use apmd file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`acpi_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acpi_use_fds'($*)) dnl - - gen_require(` - type acpid_t; - ') - - allow $1 acpid_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acpi_use_fds'($*)) dnl - ') - - -######################################## -## -## Write apmd unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`acpi_write_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acpi_write_pipes'($*)) dnl - - gen_require(` - type acpid_t; - ') - - allow $1 acpid_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acpi_write_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write to apmd unix -## stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`acpi_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acpi_rw_stream_sockets'($*)) dnl - - gen_require(` - type acpid_t; - ') - - allow $1 acpid_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acpi_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Append apmd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`acpi_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acpi_append_log'($*)) dnl - - gen_require(` - type acpid_log_t; - ') - - logging_search_logs($1) - allow $1 acpid_log_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acpi_append_log'($*)) dnl - ') - - -######################################## -## -## Connect to apmd over an unix -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`acpi_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acpi_stream_connect'($*)) dnl - - gen_require(` - type acpid_t, acpid_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, acpid_runtime_t, acpid_runtime_t, acpid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acpi_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an apm environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`acpi_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `acpi_admin'($*)) dnl - - gen_require(` - type acpid_t, acpid_initrc_exec_t, acpid_log_t; - type acpid_lock_t, acpid_runtime_t, acpid_var_lib_t; - type acpid_tmp_t; - ') - - allow $1 acpid_t:process { ptrace signal_perms }; - ps_process_pattern($1, acpid_t) - - init_startstop_service($1, $2, acpid_t, acpid_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, acpid_log_t) - - files_search_locks($1) - admin_pattern($1, acpid_lock_t) - - files_search_pids($1) - admin_pattern($1, acpid_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, acpid_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, acpid_tmp_t) - - acpi_run_client($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `acpi_admin'($*)) dnl - ') - -## Asterisk IP telephony server. - -###################################### -## -## Execute asterisk in the asterisk domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`asterisk_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `asterisk_domtrans'($*)) dnl - - gen_require(` - type asterisk_t, asterisk_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, asterisk_exec_t, asterisk_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `asterisk_domtrans'($*)) dnl - ') - - -###################################### -## -## Execute asterisk in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`asterisk_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `asterisk_exec'($*)) dnl - - gen_require(` - type asterisk_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, asterisk_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `asterisk_exec'($*)) dnl - ') - - -##################################### -## -## Connect to asterisk over a unix domain. -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`asterisk_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `asterisk_stream_connect'($*)) dnl - - gen_require(` - type asterisk_t, asterisk_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, asterisk_runtime_t, asterisk_runtime_t, asterisk_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `asterisk_stream_connect'($*)) dnl - ') - - -####################################### -## -## Set attributes of asterisk log -## files and directories. -## -## -## -## Domain allowed access. -## -## -# - define(`asterisk_setattr_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `asterisk_setattr_logs'($*)) dnl - - gen_require(` - type asterisk_log_t; - ') - - setattr_files_pattern($1, asterisk_log_t, asterisk_log_t) - setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t) - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `asterisk_setattr_logs'($*)) dnl - ') - - -####################################### -## -## Set attributes of the asterisk -## PID content. -## -## -## -## Domain allowed access. -## -## -# - define(`asterisk_setattr_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `asterisk_setattr_pid_files'($*)) dnl - - gen_require(` - type asterisk_runtime_t; - ') - - setattr_files_pattern($1, asterisk_runtime_t, asterisk_runtime_t) - setattr_dirs_pattern($1, asterisk_runtime_t, asterisk_runtime_t) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `asterisk_setattr_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an asterisk environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`asterisk_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `asterisk_admin'($*)) dnl - - gen_require(` - type asterisk_t, asterisk_runtime_t, asterisk_spool_t; - type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; - type asterisk_var_lib_t, asterisk_initrc_exec_t; - ') - - allow $1 asterisk_t:process { ptrace signal_perms }; - ps_process_pattern($1, asterisk_t) - - init_startstop_service($1, $2, asterisk_t, asterisk_initrc_exec_t) - - asterisk_exec($1) - - files_list_tmp($1) - admin_pattern($1, asterisk_tmp_t) - - files_list_etc($1) - admin_pattern($1, asterisk_etc_t) - - logging_list_logs($1) - admin_pattern($1, asterisk_log_t) - - files_list_spool($1) - admin_pattern($1, asterisk_spool_t) - - files_list_var_lib($1) - admin_pattern($1, asterisk_var_lib_t) - - files_list_pids($1) - admin_pattern($1, asterisk_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `asterisk_admin'($*)) dnl - ') - -## APC UPS monitoring daemon. - -######################################## -## -## Execute a domain transition to -## run apcupsd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apcupsd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apcupsd_domtrans'($*)) dnl - - gen_require(` - type apcupsd_t, apcupsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, apcupsd_exec_t, apcupsd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apcupsd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute apcupsd server in the -## apcupsd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apcupsd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apcupsd_initrc_domtrans'($*)) dnl - - gen_require(` - type apcupsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apcupsd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read apcupsd PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`apcupsd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apcupsd_read_pid_files'($*)) dnl - - gen_require(` - type apcupsd_runtime_t; - ') - - files_search_pids($1) - allow $1 apcupsd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apcupsd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Read apcupsd log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`apcupsd_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apcupsd_read_log'($*)) dnl - - gen_require(` - type apcupsd_log_t; - ') - - logging_search_logs($1) - allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apcupsd_read_log'($*)) dnl - ') - - -######################################## -## -## Append apcupsd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`apcupsd_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apcupsd_append_log'($*)) dnl - - gen_require(` - type apcupsd_log_t; - ') - - logging_search_logs($1) - allow $1 apcupsd_log_t:dir list_dir_perms; - allow $1 apcupsd_log_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apcupsd_append_log'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run httpd_apcupsd_cgi_script. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apcupsd_cgi_script_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apcupsd_cgi_script_domtrans'($*)) dnl - - gen_require(` - type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; - ') - - files_search_var($1) - domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) - - optional_policy(` - apache_search_sys_content($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apcupsd_cgi_script_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an apcupsd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`apcupsd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apcupsd_admin'($*)) dnl - - gen_require(` - type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; - type apcupsd_runtime_t, apcupsd_initrc_exec_t, apcupsd_lock_t; - ') - - allow $1 apcupsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, apcupsd_t) - - init_startstop_service($1, $2, apcupsd_t, apcupsd_initrc_exec_t) - - files_list_var($1) - admin_pattern($1, apcupsd_lock_t) - - logging_list_logs($1) - admin_pattern($1, apcupsd_log_t) - - files_list_tmp($1) - admin_pattern($1, apcupsd_tmp_t) - - files_list_pids($1) - admin_pattern($1, apcupsd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apcupsd_admin'($*)) dnl - ') - -## Server for the svn repository access method. - -######################################## -## -## All of the rules required to -## administrate an svnserve environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`svnserve_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `svnserve_admin'($*)) dnl - - gen_require(` - type svnserve_t, svnserve_initrc_exec_t, svnserve_runtime_t; - ') - - allow $1 svnserve_t:process { ptrace signal_perms }; - ps_process_pattern($1, svnserve_t) - - init_startstop_service($1, $2, svnserve_t, svnserve_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, svnserve_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `svnserve_admin'($*)) dnl - ') - -## Check and feed random data from hardware device to kernel random device. - -######################################## -## -## All of the rules required to -## administrate an rng environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rngd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rngd_admin'($*)) dnl - - gen_require(` - type rngd_t, rngd_initrc_exec_t, rngd_runtime_t; - ') - - allow $1 rngd_t:process { ptrace signal_perms }; - ps_process_pattern($1, rngd_t) - - init_startstop_service($1, $2, rngd_t, rngd_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, rngd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rngd_admin'($*)) dnl - ') - -## Chrony NTP background daemon. - -##################################### -## -## Execute chronyd in the chronyd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`chronyd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_domtrans'($*)) dnl - - gen_require(` - type chronyd_t, chronyd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chronyd_exec_t, chronyd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_domtrans'($*)) dnl - ') - - -##################################### -## -## Execute chronyc in the chronyc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`chronyd_domtrans_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_domtrans_cli'($*)) dnl - - gen_require(` - type chronyc_t, chronyc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chronyc_exec_t, chronyc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_domtrans_cli'($*)) dnl - ') - - -######################################## -## -## Execute chronyd server in the -## chronyd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`chronyd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_initrc_domtrans'($*)) dnl - - gen_require(` - type chronyd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, chronyd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_initrc_domtrans'($*)) dnl - ') - - -#################################### -## -## Execute chronyd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_exec'($*)) dnl - - gen_require(` - type chronyd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, chronyd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_exec'($*)) dnl - ') - - -######################################## -## -## Execute chronyc in the chronyc domain, -## and allow the specified roles the -## chronyc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`chronyd_run_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_run_cli'($*)) dnl - - gen_require(` - attribute_role chronyc_roles; - ') - - chronyd_domtrans_cli($1) - roleattribute $2 chronyc_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_run_cli'($*)) dnl - ') - - -##################################### -## -## Read chronyd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_read_log'($*)) dnl - - gen_require(` - type chronyd_var_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_read_log'($*)) dnl - ') - - -##################################### -## -## Read chronyd config file. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_read_config'($*)) dnl - - gen_require(` - type chronyd_conf_t; - ') - - files_search_etc($1) - allow $1 chronyd_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_read_config'($*)) dnl - ') - - -##################################### -## -## Read and write chronyd config file. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_rw_config'($*)) dnl - - gen_require(` - type chronyd_conf_t; - ') - - files_search_etc($1) - allow $1 chronyd_conf_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_rw_config'($*)) dnl - ') - - -######################################## -## -## Read and write chronyd shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_rw_shm'($*)) dnl - - gen_require(` - type chronyd_t, chronyd_tmpfs_t; - ') - - allow $1 chronyd_t:shm rw_shm_perms; - allow $1 chronyd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) - read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_rw_shm'($*)) dnl - ') - - -######################################## -## -## Connect to chronyd using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_stream_connect'($*)) dnl - - gen_require(` - type chronyd_t, chronyd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, chronyd_runtime_t, chronyd_runtime_t, chronyd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_stream_connect'($*)) dnl - ') - - -######################################## -## -## Send to chronyd using a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_dgram_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_dgram_send'($*)) dnl - - gen_require(` - type chronyd_t, chronyd_runtime_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, chronyd_runtime_t, chronyd_runtime_t, chronyd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_dgram_send'($*)) dnl - ') - - -######################################## -## -## Read chronyd key files. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_read_key_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_read_key_files'($*)) dnl - - gen_require(` - type chronyd_keys_t; - ') - - files_search_etc($1) - read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_read_key_files'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to enable and disable chronyd unit -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_enabledisable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_enabledisable'($*)) dnl - - gen_require(` - type chronyd_unit_t; - class service { enable disable }; - ') - - allow $1 chronyd_unit_t:service { enable disable }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_enabledisable'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to start and stop chronyd unit -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_startstop',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_startstop'($*)) dnl - - gen_require(` - type chronyd_unit_t; - class service { start stop }; - ') - - allow $1 chronyd_unit_t:service { start stop }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_startstop'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get status of chronyd unit -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_status'($*)) dnl - - gen_require(` - type chronyd_unit_t; - class service status; - ') - - allow $1 chronyd_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_status'($*)) dnl - ') - - -######################################## -## -## Send to chronyd command line interface using a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# - define(`chronyd_dgram_send_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_dgram_send_cli'($*)) dnl - - gen_require(` - type chronyc_t, chronyd_runtime_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, chronyd_runtime_t, chronyd_runtime_t, chronyc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_dgram_send_cli'($*)) dnl - ') - - -#################################### -## -## All of the rules required to -## administrate an chronyd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`chronyd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `chronyd_admin'($*)) dnl - - gen_require(` - type chronyd_t, chronyd_var_log_t; - type chronyd_runtime_t, chronyd_var_lib_t; - type chronyd_initrc_exec_t, chronyd_keys_t; - ') - - allow $1 chronyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, chronyd_t) - - init_startstop_service($1, $2, chronyd_t, chronyd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, chronyd_keys_t) - - logging_search_logs($1) - admin_pattern($1, chronyd_var_log_t) - - files_search_var_lib($1) - admin_pattern($1, chronyd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, chronyd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `chronyd_admin'($*)) dnl - ') - -## Storage array management library. - -######################################## -## -## All of the rules required to administrate -## an lsmd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`lsmd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lsmd_admin'($*)) dnl - - gen_require(` - type lsmd_t, lsmd_runtime_t; - ') - - allow $1 lsmd_t:process { ptrace signal_perms }; - ps_process_pattern($1, lsmd_t) - - files_search_pids($1) - admin_pattern($1, lsmd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lsmd_admin'($*)) dnl - ') - -## SMB and CIFS client/server programs. - -######################################## -## -## Execute nmbd in the nmbd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`samba_domtrans_nmbd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_domtrans_nmbd'($*)) dnl - - gen_require(` - type nmbd_t, nmbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nmbd_exec_t, nmbd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_domtrans_nmbd'($*)) dnl - ') - - -####################################### -## -## Send generic signals to nmbd. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_signal_nmbd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_signal_nmbd'($*)) dnl - - gen_require(` - type nmbd_t; - ') - allow $1 nmbd_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_signal_nmbd'($*)) dnl - ') - - -######################################## -## -## Connect to nmbd with a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_stream_connect_nmbd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_stream_connect_nmbd'($*)) dnl - - gen_require(` - type samba_var_t, nmbd_t, samba_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { samba_runtime_t samba_var_t }, samba_runtime_t, nmbd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_stream_connect_nmbd'($*)) dnl - ') - - -######################################## -## -## Execute samba init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`samba_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_initrc_domtrans'($*)) dnl - - gen_require(` - type samba_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, samba_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute samba net in the samba net domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`samba_domtrans_net',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_domtrans_net'($*)) dnl - - gen_require(` - type samba_net_t, samba_net_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samba_net_exec_t, samba_net_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_domtrans_net'($*)) dnl - ') - - -######################################## -## -## Execute samba net in the samba net -## domain, and allow the specified -## role the samba net domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`samba_run_net',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_run_net'($*)) dnl - - gen_require(` - attribute_role samba_net_roles; - ') - - samba_domtrans_net($1) - roleattribute $2 samba_net_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_run_net'($*)) dnl - ') - - -######################################## -## -## Execute smbmount in the smbmount domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`samba_domtrans_smbmount',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbmount'($*)) dnl - - gen_require(` - type smbmount_t, smbmount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbmount_exec_t, smbmount_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_domtrans_smbmount'($*)) dnl - ') - - -######################################## -## -## Execute smbmount in the smbmount -## domain, and allow the specified -## role the smbmount domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`samba_run_smbmount',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_run_smbmount'($*)) dnl - - gen_require(` - attribute_role smbmount_roles; - ') - - samba_domtrans_smbmount($1) - roleattribute $2 smbmount_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_run_smbmount'($*)) dnl - ') - - -######################################## -## -## Read samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`samba_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_read_config'($*)) dnl - - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, samba_etc_t, samba_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_read_config'($*)) dnl - ') - - -######################################## -## -## Read and write samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`samba_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_rw_config'($*)) dnl - - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - rw_files_pattern($1, samba_etc_t, samba_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_rw_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## samba configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`samba_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_manage_config'($*)) dnl - - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, samba_etc_t, samba_etc_t) - manage_files_pattern($1, samba_etc_t, samba_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_manage_config'($*)) dnl - ') - - -######################################## -## -## Read samba log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`samba_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_read_log'($*)) dnl - - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - read_files_pattern($1, samba_log_t, samba_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_read_log'($*)) dnl - ') - - -######################################## -## -## Append to samba log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`samba_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_append_log'($*)) dnl - - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - allow $1 samba_log_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_append_log'($*)) dnl - ') - - -######################################## -## -## Execute samba log files in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_exec_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_exec_log'($*)) dnl - - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - can_exec($1, samba_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_exec_log'($*)) dnl - ') - - -######################################## -## -## Read samba secret files. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_read_secrets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_read_secrets'($*)) dnl - - gen_require(` - type samba_secrets_t; - ') - - files_search_etc($1) - allow $1 samba_secrets_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_read_secrets'($*)) dnl - ') - - -######################################## -## -## Read samba share files. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_read_share_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_read_share_files'($*)) dnl - - gen_require(` - type samba_share_t; - ') - - allow $1 samba_share_t:filesystem getattr; - read_files_pattern($1, samba_share_t, samba_share_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_read_share_files'($*)) dnl - ') - - -######################################## -## -## Search samba var directories. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_search_var',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_search_var'($*)) dnl - - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - allow $1 samba_var_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_search_var'($*)) dnl - ') - - -######################################## -## -## Read samba var files. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_read_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_read_var_files'($*)) dnl - - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, samba_var_t, samba_var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_read_var_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write -## samba var files. -## -## -## -## Domain to not audit. -## -## -# - define(`samba_dontaudit_write_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_dontaudit_write_var_files'($*)) dnl - - gen_require(` - type samba_var_t; - ') - - dontaudit $1 samba_var_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_dontaudit_write_var_files'($*)) dnl - ') - - -######################################## -## -## Read and write samba var files. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_rw_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_rw_var_files'($*)) dnl - - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, samba_var_t, samba_var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_rw_var_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## samba var files. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_manage_var_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_manage_var_files'($*)) dnl - - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_manage_var_files'($*)) dnl - ') - - -######################################## -## -## Execute smbcontrol in the smbcontrol domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`samba_domtrans_smbcontrol',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbcontrol'($*)) dnl - - gen_require(` - type smbcontrol_t, smbcontrol_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_domtrans_smbcontrol'($*)) dnl - ') - - -######################################## -## -## Execute smbcontrol in the smbcontrol -## domain, and allow the specified -## role the smbcontrol domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`samba_run_smbcontrol',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_run_smbcontrol'($*)) dnl - - gen_require(` - attribute_role smbcontrol_roles; - ') - - samba_domtrans_smbcontrol($1) - roleattribute $2 smbcontrol_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_run_smbcontrol'($*)) dnl - ') - - -######################################## -## -## Execute smbd in the smbd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`samba_domtrans_smbd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbd'($*)) dnl - - gen_require(` - type smbd_t, smbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbd_exec_t, smbd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_domtrans_smbd'($*)) dnl - ') - - -###################################### -## -## Send generic signals to smbd. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_signal_smbd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_signal_smbd'($*)) dnl - - gen_require(` - type smbd_t; - ') - allow $1 smbd_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_signal_smbd'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit -## and use smbd file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`samba_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_dontaudit_use_fds'($*)) dnl - - gen_require(` - type smbd_t; - ') - - dontaudit $1 smbd_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Write smbmount tcp sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_write_smbmount_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_write_smbmount_tcp_sockets'($*)) dnl - - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_write_smbmount_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write smbmount tcp sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_rw_smbmount_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_rw_smbmount_tcp_sockets'($*)) dnl - - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_rw_smbmount_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Execute winbind helper in the -## winbind helper domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`samba_domtrans_winbind_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_domtrans_winbind_helper'($*)) dnl - - gen_require(` - type winbind_helper_t, winbind_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_domtrans_winbind_helper'($*)) dnl - ') - - -####################################### -## -## Get attributes of winbind executable files. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_getattr_winbind_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_getattr_winbind_exec'($*)) dnl - - gen_require(` - type winbind_exec_t; - ') - - allow $1 winbind_exec_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_getattr_winbind_exec'($*)) dnl - ') - - -######################################## -## -## Execute winbind helper in the winbind -## helper domain, and allow the specified -## role the winbind helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`samba_run_winbind_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_run_winbind_helper'($*)) dnl - - gen_require(` - attribute_role winbind_helper_roles; - ') - - samba_domtrans_winbind_helper($1) - roleattribute $2 winbind_helper_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_run_winbind_helper'($*)) dnl - ') - - -######################################## -## -## Read winbind pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_read_winbind_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_read_winbind_pid'($*)) dnl - - gen_require(` - type winbind_runtime_t, samba_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, { samba_runtime_t winbind_runtime_t }, winbind_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_read_winbind_pid'($*)) dnl - ') - - -######################################## -## -## Connect to winbind with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`samba_stream_connect_winbind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_stream_connect_winbind'($*)) dnl - - gen_require(` - type samba_var_t, winbind_t, winbind_runtime_t, smbd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { smbd_runtime_t samba_var_t winbind_runtime_t }, winbind_runtime_t, winbind_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_stream_connect_winbind'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an samba environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`samba_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `samba_admin'($*)) dnl - - gen_require(` - type nmbd_t, samba_runtime_t; - type smbd_t, smbd_tmp_t; - type samba_log_t, samba_var_t, samba_secrets_t; - type samba_etc_t, samba_share_t, samba_initrc_exec_t; - type swat_runtime_t, swat_tmp_t, winbind_log_t; - type winbind_runtime_t, winbind_tmp_t; - type smbd_keytab_t; - ') - - allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { nmbd_t smbd_t }) - - init_startstop_service($1, $2, samba_t, samba_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, { samba_etc_t smbd_keytab_t }) - - logging_list_logs($1) - admin_pattern($1, { samba_log_t winbind_log_t }) - - files_list_var($1) - admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) - - files_list_spool($1) - - files_list_pids($1) - admin_pattern($1, { winbind_runtime_t samba_runtime_t swat_runtime_t }) - - files_list_tmp($1) - admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `samba_admin'($*)) dnl - ') - -## publicfile supplies files to the public through HTTP and FTP. -## AMQP server written in Erlang. - -######################################## -## -## Execute rabbitmq in the rabbitmq domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rabbitmq_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rabbitmq_domtrans'($*)) dnl - - gen_require(` - type rabbitmq_epmd_t, rabbitmq_epmd_exec_t; - type rabbitmq_beam_t, rabbitmq_beam_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) - domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rabbitmq_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rabbitmq environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rabbitmq_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rabbitmq_admin'($*)) dnl - - gen_require(` - type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t; - type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_runtime_t; - ') - - allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t }) - - init_startstop_service($1, $2, { rabbitmq_epmd_t rabbitmq_beam_t }, rabbitmq_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, rabbitmq_var_log_t) - - files_search_var_lib($1) - admin_pattern($1, rabbitmq_var_lib_t) - - files_search_pids($1) - admin_pattern($1, rabbitmq_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rabbitmq_admin'($*)) dnl - ') - -## Smokeping network latency measurement. - -######################################## -## -## Execute a domain transition to run smokeping. -## -## -## -## Domain allowed to transition. -## -## -# - define(`smokeping_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smokeping_domtrans'($*)) dnl - - gen_require(` - type smokeping_t, smokeping_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smokeping_exec_t, smokeping_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smokeping_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute smokeping init scripts in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`smokeping_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smokeping_initrc_domtrans'($*)) dnl - - gen_require(` - type smokeping_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, smokeping_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smokeping_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read smokeping pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`smokeping_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smokeping_read_pid_files'($*)) dnl - - gen_require(` - type smokeping_runtime_t; - ') - - files_search_pids($1) - allow $1 smokeping_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smokeping_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## smokeping pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`smokeping_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smokeping_manage_pid_files'($*)) dnl - - gen_require(` - type smokeping_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, smokeping_runtime_t, smokeping_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smokeping_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Get attributes of smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`smokeping_getattr_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smokeping_getattr_lib_files'($*)) dnl - - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smokeping_getattr_lib_files'($*)) dnl - ') - - -######################################## -## -## Read smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`smokeping_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smokeping_read_lib_files'($*)) dnl - - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smokeping_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## smokeping lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`smokeping_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smokeping_manage_lib_files'($*)) dnl - - gen_require(` - type smokeping_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smokeping_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate a smokeping environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`smokeping_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smokeping_admin'($*)) dnl - - gen_require(` - type smokeping_t, smokeping_initrc_exec_t, smokeping_var_lib_t; - type smokeping_runtime_t; - ') - - allow $1 smokeping_t:process { ptrace signal_perms }; - ps_process_pattern($1, smokeping_t) - - init_startstop_service($1, $2, smokeping_t, smokeping_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, smokeping_var_lib_t) - - files_search_pids($1) - admin_pattern($1, smokeping_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smokeping_admin'($*)) dnl - ') - -## BIRD Internet Routing Daemon. - -######################################## -## -## All of the rules required to -## administrate an bird environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bird_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bird_admin'($*)) dnl - - gen_require(` - type bird_t, bird_etc_t, bird_log_t; - type bird_runtime_t, bird_initrc_exec_t; - ') - - allow $1 bird_t:process { ptrace signal_perms }; - ps_process_pattern($1, bird_t) - - init_startstop_service($1, $2, bird_t, bird_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, bird_etc_t) - - logging_list_logs($1) - admin_pattern($1, bird_log_t) - - files_list_pids($1) - admin_pattern($1, bird_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bird_admin'($*)) dnl - ') - -## mon network monitoring daemon. - -###################################### -## -## dontaudit using an inherited fd from mon_t -## -## -## -## Domain to not audit -## -## -# - define(`mon_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mon_dontaudit_use_fds'($*)) dnl - - gen_require(` - type mon_t; - ') - - dontaudit $1 mon_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mon_dontaudit_use_fds'($*)) dnl - ') - - -###################################### -## -## dontaudit searching /var/lib/mon -## -## -## -## Domain to not audit -## -## -# - define(`mon_dontaudit_search_var_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mon_dontaudit_search_var_lib'($*)) dnl - - gen_require(` - type mon_var_lib_t; - ') - - dontaudit $1 mon_var_lib_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mon_dontaudit_search_var_lib'($*)) dnl - ') - - -## Platform for computing using volunteered resources. - -######################################## -## -## All of the rules required to -## administrate an boinc environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`boinc_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `boinc_admin'($*)) dnl - - gen_require(` - - type boinc_t, boinc_project_t, boinc_log_t; - type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t; - type boinc_project_var_lib_t, boinc_project_tmp_t; - ') - - allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { boinc_t boinc_project_t }) - - init_startstop_service($1, $2, boinc_t, boinc_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, boinc_log_t) - - files_search_tmp($1) - admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t }) - - files_search_var_lib($1) - admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `boinc_admin'($*)) dnl - ') - -## Automatic IPv6 Connectivity Client Utility. - -######################################## -## -## Execute a domain transition to run aiccu. -## -## -## -## Domain allowed to transition. -## -## -# - define(`aiccu_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aiccu_domtrans'($*)) dnl - - gen_require(` - type aiccu_t, aiccu_exec_t; - ') - - domtrans_pattern($1, aiccu_exec_t, aiccu_t) - corecmd_search_bin($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aiccu_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute aiccu server in the aiccu domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`aiccu_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aiccu_initrc_domtrans'($*)) dnl - - gen_require(` - type aiccu_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, aiccu_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aiccu_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read aiccu PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`aiccu_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aiccu_read_pid_files'($*)) dnl - - gen_require(` - type aiccu_runtime_t; - ') - - allow $1 aiccu_runtime_t:file read_file_perms; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aiccu_read_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an aiccu environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`aiccu_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `aiccu_admin'($*)) dnl - - gen_require(` - type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; - type aiccu_runtime_t; - ') - - allow $1 aiccu_t:process { ptrace signal_perms }; - ps_process_pattern($1, aiccu_t) - - init_startstop_service($1, $2, aiccu_t, aiccu_initrc_exec_t) - - admin_pattern($1, aiccu_etc_t) - files_list_etc($1) - - admin_pattern($1, aiccu_runtime_t) - files_list_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `aiccu_admin'($*)) dnl - ') - -## Pyzor is a distributed, collaborative spam detection and filtering network. - -######################################## -## -## Role access for pyzor. -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`pyzor_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pyzor_role'($*)) dnl - - gen_require(` - attribute_role pyzor_roles; - type pyzor_t, pyzor_exec_t, pyzor_home_t; - type pyzor_tmp_t; - ') - - roleattribute $1 pyzor_roles; - - domtrans_pattern($2, pyzor_exec_t, pyzor_t) - - allow $2 pyzor_t:process { ptrace signal_perms }; - ps_process_pattern($2, pyzor_t) - - allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pyzor_role'($*)) dnl - ') - - -######################################## -## -## Send generic signals to pyzor. -## -## -## -## Domain allowed access. -## -## -# - define(`pyzor_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pyzor_signal'($*)) dnl - - gen_require(` - type pyzor_t; - ') - - allow $1 pyzor_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pyzor_signal'($*)) dnl - ') - - -######################################## -## -## Execute pyzor with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`pyzor_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pyzor_domtrans'($*)) dnl - - gen_require(` - type pyzor_exec_t, pyzor_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pyzor_exec_t, pyzor_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pyzor_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute pyzor in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`pyzor_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pyzor_exec'($*)) dnl - - gen_require(` - type pyzor_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pyzor_exec'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an pyzor environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pyzor_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pyzor_admin'($*)) dnl - - gen_require(` - type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t; - type pyzor_var_lib_t, pyzor_etc_t; - ') - - allow $1 pyzord_t:process { ptrace signal_perms }; - ps_process_pattern($1, pyzord_t) - - init_startstop_service($1, $2, pyzord_t, pyzord_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, pyzor_etc_t) - - logging_search_logs($1) - admin_pattern($1, pyzord_log_t) - - files_search_var_lib($1) - admin_pattern($1, pyzor_var_lib_t) - - # This makes it impossible to apply _admin if _role has already been applied - #pyzor_role($2, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pyzor_admin'($*)) dnl - ') - -## Dynamic host configuration protocol server. - -######################################## -## -## Execute a domain transition to run dhcpd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dhcpd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dhcpd_domtrans'($*)) dnl - - gen_require(` - type dhcpd_t, dhcpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dhcpd_domtrans'($*)) dnl - ') - - -######################################## -## -## Set attributes of dhcpd server -## state files. -## -## -## -## Domain allowed access. -## -## -# - define(`dhcpd_setattr_state_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dhcpd_setattr_state_files'($*)) dnl - - gen_require(` - type dhcpd_state_t; - ') - - sysnet_search_dhcp_state($1) - allow $1 dhcpd_state_t:file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dhcpd_setattr_state_files'($*)) dnl - ') - - -######################################## -## -## Execute dhcp server in the dhcp domain. -## -## -## -## Domain allowed to transition. -## -## -# -# - define(`dhcpd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dhcpd_initrc_domtrans'($*)) dnl - - gen_require(` - type dhcpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dhcpd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an dhcpd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dhcpd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dhcpd_admin'($*)) dnl - - gen_require(` - type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; - type dhcpd_runtime_t, dhcpd_initrc_exec_t; - ') - - allow $1 dhcpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, dhcpd_t) - - init_startstop_service($1, $2, dhcpd_t, dhcpd_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, dhcpd_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, dhcpd_state_t) - - files_list_pids($1) - admin_pattern($1, dhcpd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dhcpd_admin'($*)) dnl - ') - -## Services for loading CPU microcode and CPU frequency scaling. - -######################################## -## -## CPUcontrol stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# - define(`cpucontrol_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cpucontrol_stub'($*)) dnl - - gen_require(` - type cpucontrol_t; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cpucontrol_stub'($*)) dnl - ') - -## Network monitoring server. - -####################################### -## -## The template to define a nagios plugin domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`nagios_plugin_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_plugin_template'($*)) dnl - - gen_require(` - attribute nagios_plugin_domain; - type nagios_t, nrpe_t; - ') - - ######################################## - # - # Declarations - # - - type nagios_$1_plugin_t, nagios_plugin_domain; - type nagios_$1_plugin_exec_t; - application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) - role system_r types nagios_$1_plugin_t; - - ######################################## - # - # Policy - # - - domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - allow nagios_t nagios_$1_plugin_exec_t:file ioctl; - - domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_plugin_template'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or -## write nagios unnamed pipes. -## -## -## -## Domain to not audit. -## -## -## -# - define(`nagios_dontaudit_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_rw_pipes'($*)) dnl - - gen_require(` - type nagios_t; - ') - - dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_dontaudit_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Read nagios configuration content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`nagios_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_read_config'($*)) dnl - - gen_require(` - type nagios_etc_t; - ') - - files_search_etc($1) - allow $1 nagios_etc_t:dir list_dir_perms; - allow $1 nagios_etc_t:file read_file_perms; - allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_read_config'($*)) dnl - ') - - -###################################### -## -## Read nagios log files. -## -## -## -## Domain allowed access. -## -## -# - define(`nagios_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_read_log'($*)) dnl - - gen_require(` - type nagios_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, nagios_log_t, nagios_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_read_log'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or -## write nagios log files. -## -## -## -## Domain to not audit. -## -## -# - define(`nagios_dontaudit_rw_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_rw_log'($*)) dnl - - gen_require(` - type nagios_log_t; - ') - - dontaudit $1 nagios_log_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_dontaudit_rw_log'($*)) dnl - ') - - -######################################## -## -## Search nagios spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`nagios_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_search_spool'($*)) dnl - - gen_require(` - type nagios_spool_t; - ') - - files_search_spool($1) - allow $1 nagios_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_search_spool'($*)) dnl - ') - - -######################################## -## -## Read nagios temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`nagios_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_read_tmp_files'($*)) dnl - - gen_require(` - type nagios_tmp_t; - ') - - files_search_tmp($1) - allow $1 nagios_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Execute nrpe with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nagios_domtrans_nrpe',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_domtrans_nrpe'($*)) dnl - - gen_require(` - type nrpe_t, nrpe_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nrpe_exec_t, nrpe_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_domtrans_nrpe'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an nagios environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`nagios_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nagios_admin'($*)) dnl - - gen_require(` - attribute nagios_plugin_domain; - type nagios_t, nrpe_t, nagios_initrc_exec_t; - type nagios_tmp_t, nagios_log_t, nagios_var_lib_t; - type nagios_etc_t, nrpe_etc_t, nrpe_runtime_t; - type nagios_spool_t, nagios_runtime_t, nagios_system_plugin_tmp_t; - type nagios_eventhandler_plugin_tmp_t; - ') - - allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms }; - ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain }) - - init_startstop_service($1, $2, nagios_t, nagios_initrc_exec_t) - - files_search_tmp($1) - admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t }) - - logging_search_logs($1) - admin_pattern($1, nagios_log_t) - - files_search_etc($1) - admin_pattern($1, { nrpe_etc_t nagios_etc_t }) - - files_search_spool($1) - admin_pattern($1, nagios_spool_t) - - files_search_pids($1) - admin_pattern($1, { nrpe_runtime_t nagios_runtime_t }) - - files_search_var_lib($1) - admin_pattern($1, nagios_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nagios_admin'($*)) dnl - ') - -## Kernel Samepage Merging Tuning Daemon. - -######################################## -## -## Execute a domain transition to run ksmtuned. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ksmtuned_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ksmtuned_domtrans'($*)) dnl - - gen_require(` - type ksmtuned_t, ksmtuned_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ksmtuned_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute ksmtuned server in -## the ksmtuned domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ksmtuned_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ksmtuned_initrc_domtrans'($*)) dnl - - gen_require(` - type ksmtuned_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ksmtuned_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ksmtuned environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ksmtuned_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ksmtuned_admin'($*)) dnl - - gen_require(` - type ksmtuned_t, ksmtuned_runtime_t; - type ksmtuned_initrc_exec_t, ksmtuned_log_t; - ') - - init_startstop_service($1, $2, ksmtuned_t, ksmtuned_initrc_exec_t) - - allow $1 ksmtuned_t:process { ptrace signal_perms }; - ps_process_pattern($1, ksmtuned_t) - - files_list_pids($1) - admin_pattern($1, ksmtuned_runtime_t) - - logging_search_logs($1) - admin_pattern($1, ksmtuned_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ksmtuned_admin'($*)) dnl - ') - -## shared storage lock manager. - -######################################## -## -## Execute a domain transition to run sanlock. -## -## -## -## Domain allowed access. -## -## -# - define(`sanlock_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sanlock_domtrans'($*)) dnl - - gen_require(` - type sanlock_t, sanlock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sanlock_exec_t, sanlock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sanlock_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute sanlock init scripts in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sanlock_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sanlock_initrc_domtrans'($*)) dnl - - gen_require(` - type sanlock_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sanlock_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sanlock_initrc_domtrans'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## sanlock pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`sanlock_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sanlock_manage_pid_files'($*)) dnl - - gen_require(` - type sanlock_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, sanlock_runtime_t, sanlock_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sanlock_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to sanlock with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`sanlock_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sanlock_stream_connect'($*)) dnl - - gen_require(` - type sanlock_t, sanlock_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, sanlock_runtime_t, sanlock_runtime_t, sanlock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sanlock_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an sanlock environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sanlock_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sanlock_admin'($*)) dnl - - gen_require(` - type sanlock_t, sanlock_initrc_exec_t, sanlock_runtime_t; - type sanlock_log_t; - ') - - allow $1 sanlock_t:process { ptrace signal_perms }; - ps_process_pattern($1, sanlock_t) - - init_startstop_service($1, $2, sanlock_t, sanlock_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, sanlock_runtime_t) - - logging_search_logs($1) - admin_pattern($1, sanlock_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sanlock_admin'($*)) dnl - ') - -## Server for the PXE network boot protocol. - -######################################## -## -## All of the rules required to -## administrate an pxe environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pxe_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pxe_admin'($*)) dnl - - gen_require(` - type pxe_t, pxe_initrc_exec_t, pxe_log_t; - type pxe_runtime_t; - ') - - allow $1 pxe_t:process { ptrace signal_perms }; - ps_process_pattern($1, pxe_t) - - init_startstop_service($1, $2, pxe_t, pxe_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, pxe_log_t) - - files_search_pids($1) - admin_pattern($1, pxe_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pxe_admin'($*)) dnl - ') - -## Framework for facilitating multiple user sessions on desktops. - -######################################## -## -## Execute a domain transition to run consolekit. -## -## -## -## Domain allowed to transition. -## -## -# - define(`consolekit_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolekit_domtrans'($*)) dnl - - gen_require(` - type consolekit_t, consolekit_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, consolekit_exec_t, consolekit_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolekit_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## consolekit over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`consolekit_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolekit_dbus_chat'($*)) dnl - - gen_require(` - type consolekit_t; - class dbus send_msg; - ') - - allow $1 consolekit_t:dbus send_msg; - allow consolekit_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolekit_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Use consolekit inhibit locks. -## -## The program gets passed an FD to a fifo_file to hold. -## When the application is done with the lock, it closes the FD. -## Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/ -## -## -## -## Domain allowed access. -## -## -# - define(`consolekit_use_inhibit_lock',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolekit_use_inhibit_lock'($*)) dnl - - gen_require(` - type consolekit_t, consolekit_runtime_t; - ') - - allow $1 consolekit_t:fd use; - allow $1 consolekit_runtime_t:fifo_file rw_inherited_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolekit_use_inhibit_lock'($*)) dnl - ') - - -######################################## -## -## Read consolekit log files. -## -## -## -## Domain allowed access. -## -## -# - define(`consolekit_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolekit_read_log'($*)) dnl - - gen_require(` - type consolekit_log_t; - ') - - read_files_pattern($1, consolekit_log_t, consolekit_log_t) - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolekit_read_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## consolekit log files. -## -## -## -## Domain allowed access. -## -## -# - define(`consolekit_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolekit_manage_log'($*)) dnl - - gen_require(` - type consolekit_log_t; - ') - - manage_files_pattern($1, consolekit_log_t, consolekit_log_t) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolekit_manage_log'($*)) dnl - ') - - -######################################## -## -## Read consolekit PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`consolekit_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `consolekit_read_pid_files'($*)) dnl - - gen_require(` - type consolekit_runtime_t; - ') - - files_search_pids($1) - allow $1 consolekit_runtime_t:dir list_dir_perms; - read_files_pattern($1, consolekit_runtime_t, consolekit_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `consolekit_read_pid_files'($*)) dnl - ') - -## IP over DNS tunneling daemon. - -######################################## -## -## All of the rules required to -## administrate an iodined environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`iodine_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iodine_admin'($*)) dnl - - gen_require(` - type iodined_t, iodined_initrc_exec_t; - ') - - allow $1 iodined_t:process { ptrace signal_perms }; - ps_process_pattern($1, iodined_t) - - init_startstop_service($1, $2, iodined_t, iodined_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iodine_admin'($*)) dnl - ') - -## Generate entropy from audio input. - -######################################## -## -## All of the rules required to -## administrate an entropyd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`entropyd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `entropyd_admin'($*)) dnl - - gen_require(` - type entropyd_t, entropyd_initrc_exec_t, entropyd_runtime_t; - ') - - allow $1 entropyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, entropyd_t) - - init_startstop_service($1, $2, entropyd_t, entropyd_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, entropyd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `entropyd_admin'($*)) dnl - ') - -## Open source database. - -###################################### -## -## Execute MySQL in the mysql domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mysql_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_domtrans'($*)) dnl - - gen_require(` - type mysqld_t, mysqld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mysqld_exec_t, mysqld_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute mysqld in the mysqld domain, and -## allow the specified role the mysqld domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`mysql_run_mysqld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_run_mysqld'($*)) dnl - - gen_require(` - attribute_role mysqld_roles; - ') - - mysql_domtrans($1) - roleattribute $2 mysqld_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_run_mysqld'($*)) dnl - ') - - -######################################## -## -## Send generic signals to mysqld. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_signal'($*)) dnl - - gen_require(` - type mysqld_t; - ') - - allow $1 mysqld_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_signal'($*)) dnl - ') - - -######################################## -## -## Connect to mysqld with a tcp socket. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_tcp_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_tcp_connect'($*)) dnl - - gen_require(` - type mysqld_t; - ') - - corenet_tcp_recvfrom_labeled($1, mysqld_t) - corenet_tcp_connect_mysqld_port($1) - corenet_sendrecv_mysqld_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_tcp_connect'($*)) dnl - ') - - -######################################## -## -## Connect to mysqld with a unix -# domain stream socket. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mysql_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_stream_connect'($*)) dnl - - gen_require(` - type mysqld_t, mysqld_runtime_t, mysqld_db_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { mysqld_db_t mysqld_runtime_t }, mysqld_runtime_t, mysqld_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_stream_connect'($*)) dnl - ') - - -######################################## -## -## Read mysqld configuration content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mysql_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_read_config'($*)) dnl - - gen_require(` - type mysqld_etc_t; - ') - - files_search_etc($1) - allow $1 mysqld_etc_t:dir list_dir_perms; - allow $1 mysqld_etc_t:file read_file_perms; - allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_read_config'($*)) dnl - ') - - -######################################## -## -## Search mysqld db directories. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_search_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_search_db'($*)) dnl - - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_search_db'($*)) dnl - ') - - -######################################## -## -## Read and write mysqld database directories. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_rw_db_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_rw_db_dirs'($*)) dnl - - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir rw_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_rw_db_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mysqld database directories. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_manage_db_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_manage_db_dirs'($*)) dnl - - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - allow $1 mysqld_db_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_manage_db_dirs'($*)) dnl - ') - - -####################################### -## -## Append mysqld database files. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_append_db_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_append_db_files'($*)) dnl - - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - append_files_pattern($1, mysqld_db_t, mysqld_db_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_append_db_files'($*)) dnl - ') - - -####################################### -## -## Read and write mysqld database files. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_rw_db_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_rw_db_files'($*)) dnl - - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, mysqld_db_t, mysqld_db_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_rw_db_files'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## mysqld database files. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_manage_db_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_manage_db_files'($*)) dnl - - gen_require(` - type mysqld_db_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, mysqld_db_t, mysqld_db_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_manage_db_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mysqld home files. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_manage_mysqld_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_manage_mysqld_home_files'($*)) dnl - - gen_require(` - type mysqld_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mysqld_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_manage_mysqld_home_files'($*)) dnl - ') - - -######################################## -## -## Relabel mysqld home files. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_relabel_mysqld_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_relabel_mysqld_home_files'($*)) dnl - - gen_require(` - type mysqld_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 mysqld_home_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_relabel_mysqld_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the mysqld home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`mysql_home_filetrans_mysqld_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_home_filetrans_mysqld_home'($*)) dnl - - gen_require(` - type mysqld_home_t; - ') - - userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_home_filetrans_mysqld_home'($*)) dnl - ') - - -######################################## -## -## Write mysqld log files. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_write_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_write_log'($*)) dnl - - gen_require(` - type mysqld_log_t; - ') - - logging_search_logs($1) - allow $1 mysqld_log_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_write_log'($*)) dnl - ') - - -###################################### -## -## Execute mysqld safe in the -## mysqld safe domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mysql_domtrans_mysql_safe',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_domtrans_mysql_safe'($*)) dnl - - gen_require(` - type mysqld_safe_t, mysqld_safe_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_domtrans_mysql_safe'($*)) dnl - ') - - -##################################### -## -## Read mysqld pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`mysql_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_read_pid_files'($*)) dnl - - gen_require(` - type mysqld_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, mysqld_runtime_t, mysqld_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_read_pid_files'($*)) dnl - ') - - -##################################### -## -## Search mysqld pid files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`mysql_search_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_search_pid_files'($*)) dnl - - gen_require(` - type mysqld_runtime_t; - ') - - files_search_pids($1) - search_dirs_pattern($1, mysqld_runtime_t, mysqld_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_search_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an mysqld environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mysql_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_admin'($*)) dnl - - gen_require(` - type mysqld_t, mysqld_runtime_t, mysqld_etc_t; - type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; - type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_runtime_t; - type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; - ') - - allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) - - init_startstop_service($1, $2, mysqld_t, mysqld_initrc_exec_t) - init_startstop_service($1, $2, mysqlmanagerd_t, mysqlmanagerd_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, { mysqlmanagerd_runtime_t mysqld_runtime_t }) - - files_search_var_lib($1) - admin_pattern($1, mysqld_db_t) - - files_search_etc($1) - admin_pattern($1, { mysqld_etc_t mysqld_home_t }) - - logging_search_logs($1) - admin_pattern($1, mysqld_log_t) - - files_search_tmp($1) - admin_pattern($1, mysqld_tmp_t) - - mysql_run_mysqld($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_admin'($*)) dnl - ') - - -####################################### -## -## Set the attributes of the MySQL run directories -## -## -## -## Domain allowed access -## -## -# - define(`mysql_setattr_run_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_setattr_run_dirs'($*)) dnl - - gen_require(` - type mysqld_runtime_t; - ') - - setattr_dirs_pattern($1, mysqld_runtime_t, mysqld_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_setattr_run_dirs'($*)) dnl - ') - - -####################################### -## -## Create MySQL run directories -## -## -## -## Domain allowed access -## -## -# - define(`mysql_create_run_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_create_run_dirs'($*)) dnl - - gen_require(` - type mysqld_runtime_t; - ') - - create_dirs_pattern($1, mysqld_runtime_t, mysqld_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_create_run_dirs'($*)) dnl - ') - - -####################################### -## -## Automatically use the MySQL run label for created resources in generic -## run locations. This method is deprecated in favor of the -## init_daemon_run_dir call. -## -## -## -## Domain allowed access -## -## -## -## -## Type of the resource created for which the automatic file transition -## should occur -## -## -## -## -## The name of the resource being created -## -## -# - define(`mysql_generic_run_filetrans_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mysql_generic_run_filetrans_run'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mysql_generic_run_filetrans_run'($*)) dnl - ') - -## Sensor information logging daemon. - -######################################## -## -## All of the rules required to -## administrate an sensord environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sensord_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sensord_admin'($*)) dnl - - gen_require(` - type sensord_t, sensord_initrc_exec_t, sensord_runtime_t; - ') - - allow $1 sensord_t:process { ptrace signal_perms }; - ps_process_pattern($1, sensord_t) - - init_startstop_service($1, $2, sensord_t, sensord_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, sensord_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sensord_admin'($*)) dnl - ') - -## Unix to Unix Copy. - -######################################## -## -## Execute uucico in the uucpd_t domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`uucp_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uucp_domtrans'($*)) dnl - - gen_require(` - type uucpd_t, uucpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, uucpd_exec_t, uucpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uucp_domtrans'($*)) dnl - ') - - -######################################## -## -## Append uucp log files. -## -## -## -## Domain allowed access. -## -## -# - define(`uucp_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uucp_append_log'($*)) dnl - - gen_require(` - type uucpd_log_t; - ') - - logging_search_logs($1) - allow $1 uucpd_log_t:dir list_dir_perms; - append_files_pattern($1, uucpd_log_t, uucpd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uucp_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## uucp spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`uucp_manage_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uucp_manage_spool'($*)) dnl - - gen_require(` - type uucpd_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t) - manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) - manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uucp_manage_spool'($*)) dnl - ') - - -######################################## -## -## Execute uux in the uux_t domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`uucp_domtrans_uux',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uucp_domtrans_uux'($*)) dnl - - gen_require(` - type uux_t, uux_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, uux_exec_t, uux_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uucp_domtrans_uux'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an uucp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`uucp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uucp_admin'($*)) dnl - - gen_require(` - type uucpd_t, uucpd_tmp_t, uucpd_log_t; - type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t; - type uucpd_runtime_t, uucpd_initrc_exec_t; - ') - - init_startstop_service($1, $2, uucpd_t, uucpd_initrc_exec_t) - - allow $1 uucpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, uucpd_t) - - logging_list_logs($1) - admin_pattern($1, uucpd_log_t) - - files_list_spool($1) - admin_pattern($1, uucpd_spool_t) - - admin_pattern($1, { uucpd_rw_t uucpd_ro_t }) - - files_list_tmp($1) - admin_pattern($1, uucpd_tmp_t) - - files_list_pids($1) - admin_pattern($1, uucpd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uucp_admin'($*)) dnl - ') - -## Non-Uniform Memory Alignment Daemon. - -######################################## -## -## All of the rules required to -## administrate an numad environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`numad_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `numad_admin'($*)) dnl - - gen_require(` - type numad_t, numad_initrc_exec_t, numad_log_t; - type numad_runtime_t; - ') - - allow $1 numad_t:process { ptrace signal_perms }; - ps_process_pattern($1, numad_t) - - init_startstop_service($1, $2, numad_t, numad_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, numad_log_t) - - files_search_pids($1) - admin_pattern($1, numad_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `numad_admin'($*)) dnl - ') - -## OpenStack image registry and delivery service. - -######################################## -## -## Execute a domain transition to -## run glance registry. -## -## -## -## Domain allowed to transition. -## -## -# - define(`glance_domtrans_registry',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_domtrans_registry'($*)) dnl - - gen_require(` - type glance_registry_t, glance_registry_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, glance_registry_exec_t, glance_registry_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_domtrans_registry'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run glance api. -## -## -## -## Domain allowed to transition. -## -## -# - define(`glance_domtrans_api',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_domtrans_api'($*)) dnl - - gen_require(` - type glance_api_t, glance_api_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, glance_api_exec_t, glance_api_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_domtrans_api'($*)) dnl - ') - - -######################################## -## -## Read glance log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`glance_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_read_log'($*)) dnl - - gen_require(` - type glance_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, glance_log_t, glance_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_read_log'($*)) dnl - ') - - -######################################## -## -## Append glance log files. -## -## -## -## Domain allowed access. -## -## -# - define(`glance_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_append_log'($*)) dnl - - gen_require(` - type glance_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, glance_log_t, glance_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## glance log files. -## -## -## -## Domain allowed access. -## -## -# - define(`glance_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_manage_log'($*)) dnl - - gen_require(` - type glance_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, glance_log_t, glance_log_t) - manage_files_pattern($1, glance_log_t, glance_log_t) - manage_lnk_files_pattern($1, glance_log_t, glance_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_manage_log'($*)) dnl - ') - - -######################################## -## -## Search glance lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`glance_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_search_lib'($*)) dnl - - gen_require(` - type glance_var_lib_t; - ') - - allow $1 glance_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_search_lib'($*)) dnl - ') - - -######################################## -## -## Read glance lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`glance_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_read_lib_files'($*)) dnl - - gen_require(` - type glance_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, glance_var_lib_t, glance_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## glance lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`glance_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_manage_lib_files'($*)) dnl - - gen_require(` - type glance_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## glance lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`glance_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_manage_lib_dirs'($*)) dnl - - gen_require(` - type glance_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Read glance pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`glance_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_read_pid_files'($*)) dnl - - gen_require(` - type glance_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, glance_runtime_t, glance_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## glance pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`glance_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_manage_pid_files'($*)) dnl - - gen_require(` - type glance_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, glance_runtime_t, glance_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an glance environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`glance_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glance_admin'($*)) dnl - - gen_require(` - type glance_registry_t, glance_api_t, glance_log_t; - type glance_var_lib_t, glance_runtime_t; - type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; - ') - - allow $1 { glance_api_t glance_registry_t }:process signal_perms; - ps_process_pattern($1, { glance_api_t glance_registry_t }) - - init_startstop_service($1, $2, glance_api_t, glance_api_initrc_exec_t) - init_startstop_service($1, $2, glance_registry_t, glance_registry_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, glance_log_t) - - files_search_var_lib($1) - admin_pattern($1, glance_var_lib_t) - - files_search_pids($1) - admin_pattern($1, glance_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glance_admin'($*)) dnl - ') - -## Point to Point Protocol daemon creates links in ppp networks. - -######################################## -## -## Create, read, write, and delete -## ppp home files. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_manage_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_manage_home_files'($*)) dnl - - gen_require(` - type ppp_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_manage_home_files'($*)) dnl - ') - - -######################################## -## -## Read ppp user home content files. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_read_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_read_home_files'($*)) dnl - - gen_require(` - type ppp_home_t; - - ') - - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_read_home_files'($*)) dnl - ') - - -######################################## -## -## Relabel ppp home files. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_relabel_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_relabel_home_files'($*)) dnl - - gen_require(` - type ppp_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_relabel_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the ppp home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`ppp_home_filetrans_ppp_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_home_filetrans_ppp_home'($*)) dnl - - gen_require(` - type ppp_home_t; - ') - - userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_home_filetrans_ppp_home'($*)) dnl - ') - - -######################################## -## -## Inherit and use ppp file discriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_use_fds'($*)) dnl - - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit -## and use ppp file discriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`ppp_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_dontaudit_use_fds'($*)) dnl - - gen_require(` - type pppd_t; - ') - - dontaudit $1 pppd_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Send child terminated signals to ppp. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_sigchld'($*)) dnl - - gen_require(` - type pppd_t; - - ') - - allow $1 pppd_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_sigchld'($*)) dnl - ') - - -######################################## -## -## Send kill signals to ppp. -## -## -## -## Domain allowed access. -## -## -# -# - define(`ppp_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_kill'($*)) dnl - - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_kill'($*)) dnl - ') - - -######################################## -## -## Send generic signals to ppp. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_signal'($*)) dnl - - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_signal'($*)) dnl - ') - - -######################################## -## -## Send null signals to ppp. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_signull'($*)) dnl - - gen_require(` - type pppd_t; - ') - - allow $1 pppd_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_signull'($*)) dnl - ') - - -######################################## -## -## Execute pppd in the pppd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ppp_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_domtrans'($*)) dnl - - gen_require(` - type pppd_t, pppd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pppd_exec_t, pppd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_domtrans'($*)) dnl - ') - - -######################################## -## -## Conditionally execute pppd on -## behalf of a user or staff type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ppp_run_cond',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_run_cond'($*)) dnl - - gen_require(` - attribute_role pppd_roles; - ') - - roleattribute $2 pppd_roles; - - tunable_policy(`pppd_for_user',` - ppp_domtrans($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_run_cond'($*)) dnl - ') - - -######################################## -## -## Unconditionally execute ppp daemon -## on behalf of a user or staff type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ppp_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_run'($*)) dnl - - gen_require(` - attribute_role pppd_roles; - ') - - ppp_domtrans($1) - roleattribute $2 pppd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_run'($*)) dnl - ') - - -######################################## -## -## Execute domain in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_exec'($*)) dnl - - gen_require(` - type pppd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, pppd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_exec'($*)) dnl - ') - - -######################################## -## -## Read ppp configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_read_config'($*)) dnl - - gen_require(` - type pppd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, pppd_etc_t, pppd_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_read_config'($*)) dnl - ') - - -######################################## -## -## Read ppp writable configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_read_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_read_rw_config'($*)) dnl - - gen_require(` - type pppd_etc_t, pppd_etc_rw_t; - ') - - files_search_etc($1) - allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms; - allow $1 pppd_etc_rw_t:file read_file_perms; - allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_read_rw_config'($*)) dnl - ') - - -######################################## -## -## Read ppp secret files. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_read_secrets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_read_secrets'($*)) dnl - - gen_require(` - type pppd_etc_t, pppd_secret_t; - ') - - files_search_etc($1) - allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_secret_t:file read_file_perms; - allow $1 pppd_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_read_secrets'($*)) dnl - ') - - -######################################## -## -## Read ppp pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_read_pid_files'($*)) dnl - - gen_require(` - type pppd_runtime_t; - ') - - files_search_pids($1) - allow $1 pppd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## ppp pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`ppp_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_manage_pid_files'($*)) dnl - - gen_require(` - type pppd_runtime_t; - ') - - files_search_pids($1) - allow $1 pppd_runtime_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Create specified pppd pid objects -## with a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`ppp_pid_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_pid_filetrans'($*)) dnl - - gen_require(` - type pppd_runtime_t; - ') - - files_pid_filetrans($1, pppd_runtime_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_pid_filetrans'($*)) dnl - ') - - -######################################## -## -## Execute pppd init script in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ppp_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_initrc_domtrans'($*)) dnl - - gen_require(` - type pppd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, pppd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ppp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ppp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ppp_admin'($*)) dnl - - gen_require(` - type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; - type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t; - type pppd_runtime_t, pppd_initrc_exec_t; - type pptp_t, pptp_log_t, pptp_runtime_t; - ') - - allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { pptp_t pppd_t }) - - init_startstop_service($1, $2, pppd_t, pppd_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, pppd_tmp_t) - - logging_list_logs($1) - admin_pattern($1, { pptp_log_t pppd_log_t }) - - files_list_locks($1) - admin_pattern($1, pppd_lock_t) - - files_list_etc($1) - admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t }) - - files_list_pids($1) - admin_pattern($1, { pptp_runtime_t pppd_runtime_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ppp_admin'($*)) dnl - ') - -## Open Certificate Authority. - -######################################## -## -## Execute the openca with -## a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`openca_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openca_domtrans'($*)) dnl - - gen_require(` - type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; - ') - - files_search_usr($1) - allow $1 openca_usr_share_t:dir search_dir_perms; - domtrans_pattern($1, openca_ca_exec_t, openca_ca_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openca_domtrans'($*)) dnl - ') - - -######################################## -## -## Send generic signals to openca. -## -## -## -## Domain allowed access. -## -## -# - define(`openca_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openca_signal'($*)) dnl - - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openca_signal'($*)) dnl - ') - - -######################################## -## -## Send stop signals to openca. -## -## -## -## Domain allowed access. -## -## -# - define(`openca_sigstop',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openca_sigstop'($*)) dnl - - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process sigstop; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openca_sigstop'($*)) dnl - ') - - -######################################## -## -## Send kill signals to openca. -## -## -## -## Domain allowed access. -## -## -# - define(`openca_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openca_kill'($*)) dnl - - gen_require(` - type openca_ca_t; - ') - - allow $1 openca_ca_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openca_kill'($*)) dnl - ') - -## Corosync Cluster Engine. - -######################################## -## -## Execute a domain transition to run corosync. -## -## -## -## Domain allowed to transition. -## -## -# - define(`corosync_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corosync_domtrans'($*)) dnl - - gen_require(` - type corosync_t, corosync_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, corosync_exec_t, corosync_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corosync_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute corosync init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`corosync_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corosync_initrc_domtrans'($*)) dnl - - gen_require(` - type corosync_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, corosync_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corosync_initrc_domtrans'($*)) dnl - ') - - -###################################### -## -## Execute corosync in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`corosync_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corosync_exec'($*)) dnl - - gen_require(` - type corosync_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, corosync_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corosync_exec'($*)) dnl - ') - - -####################################### -## -## Read corosync log files. -## -## -## -## Domain allowed access. -## -## -# - define(`corosync_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corosync_read_log'($*)) dnl - - gen_require(` - type corosync_var_log_t; - ') - - logging_search_logs($1) - list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t) - read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corosync_read_log'($*)) dnl - ') - - -##################################### -## -## Connect to corosync over a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`corosync_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corosync_stream_connect'($*)) dnl - - gen_require(` - type corosync_t, corosync_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, corosync_runtime_t, corosync_runtime_t, corosync_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corosync_stream_connect'($*)) dnl - ') - - -###################################### -## -## Read and write corosync tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`corosync_rw_tmpfs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corosync_rw_tmpfs'($*)) dnl - - gen_require(` - type corosync_tmpfs_t; - ') - - fs_search_tmpfs($1) - rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corosync_rw_tmpfs'($*)) dnl - ') - - -###################################### -## -## All of the rules required to -## administrate an corosync environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`corosync_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `corosync_admin'($*)) dnl - - gen_require(` - type corosync_t, corosync_var_lib_t, corosync_var_log_t; - type corosync_runtime_t, corosync_tmp_t, corosync_tmpfs_t; - type corosync_initrc_exec_t; - ') - - allow $1 corosync_t:process { ptrace signal_perms }; - ps_process_pattern($1, corosync_t) - - init_startstop_service($1, $2, corosync_t, corosync_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, corosync_tmp_t) - - admin_pattern($1, corosync_tmpfs_t) - - files_list_var_lib($1) - admin_pattern($1, corosync_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, corosync_var_log_t) - - files_list_pids($1) - admin_pattern($1, corosync_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `corosync_admin'($*)) dnl - ') - -## Andrew Filesystem server. - -######################################## -## -## Execute a domain transition to run the -## afs client. -## -## -## -## Domain allowed to transition. -## -## -# - define(`afs_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `afs_domtrans'($*)) dnl - - gen_require(` - type afs_t, afs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, afs_exec_t, afs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `afs_domtrans'($*)) dnl - ') - - -######################################## -## -## Read and write afs client UDP sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`afs_rw_udp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `afs_rw_udp_sockets'($*)) dnl - - gen_require(` - type afs_t; - ') - - allow $1 afs_t:udp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `afs_rw_udp_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write afs cache files. -## -## -## -## Domain allowed access. -## -## -# - define(`afs_rw_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `afs_rw_cache'($*)) dnl - - gen_require(` - type afs_cache_t; - ') - - files_search_var($1) - allow $1 afs_cache_t:file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `afs_rw_cache'($*)) dnl - ') - - -######################################## -## -## Execute afs server in the afs domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`afs_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `afs_initrc_domtrans'($*)) dnl - - gen_require(` - type afs_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, afs_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `afs_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an afs environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`afs_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `afs_admin'($*)) dnl - - gen_require(` - attribute afs_domain; - type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; - type afs_ka_db_t, afs_vl_db_t, afs_config_t; - type afs_logfile_t, afs_cache_t, afs_files_t; - ') - - allow $1 afs_domain:process { ptrace signal_perms }; - ps_process_pattern($1, afs_domain) - - init_startstop_service($1, $2, afs_domain, afs_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, afs_config_t) - - files_search_var($1) - admin_pattern($1, afs_cache_t) - - files_search_var_lib($1) - admin_pattern($1, { afs_dbdir_t afs_pt_db_t afs_ka_db_t }) - admin_pattern($1, afs_vl_db_t) - - logging_search_logs($1) - admin_pattern($1, afs_logfile_t) - - admin_pattern($1, afs_files_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `afs_admin'($*)) dnl - ') - -## Prelude hybrid intrusion detection system. - -######################################## -## -## Execute a domain transition to run prelude. -## -## -## -## Domain allowed to transition. -## -## -# - define(`prelude_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelude_domtrans'($*)) dnl - - gen_require(` - type prelude_t, prelude_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, prelude_exec_t, prelude_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelude_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run prelude audisp. -## -## -## -## Domain allowed to transition. -## -## -# - define(`prelude_domtrans_audisp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelude_domtrans_audisp'($*)) dnl - - gen_require(` - type prelude_audisp_t, prelude_audisp_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelude_domtrans_audisp'($*)) dnl - ') - - -######################################## -## -## Send generic signals to prelude audisp. -## -## -## -## Domain allowed access. -## -## -# - define(`prelude_signal_audisp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelude_signal_audisp'($*)) dnl - - gen_require(` - type prelude_audisp_t; - ') - - allow $1 prelude_audisp_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelude_signal_audisp'($*)) dnl - ') - - -######################################## -## -## Read prelude spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`prelude_read_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelude_read_spool'($*)) dnl - - gen_require(` - type prelude_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, prelude_spool_t, prelude_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelude_read_spool'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## prelude manager spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`prelude_manage_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelude_manage_spool'($*)) dnl - - gen_require(` - type prelude_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) - manage_files_pattern($1, prelude_spool_t, prelude_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelude_manage_spool'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an prelude environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`prelude_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `prelude_admin'($*)) dnl - - gen_require(` - type prelude_t, prelude_spool_t, prelude_lml_runtime_t; - type prelude_runtime_t, prelude_var_lib_t, prelude_log_t; - type prelude_audisp_t, prelude_audisp_runtime_t; - type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t; - type prelude_correlator_t; - ') - - allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }) - - init_startstop_service($1, $2, prelude_t, prelude_initrc_exec_t) - - files_search_spool($1) - admin_pattern($1, prelude_spool_t) - - logging_search_logs($1) - admin_pattern($1, prelude_log_t) - - files_search_var_lib($1) - admin_pattern($1, prelude_var_lib_t) - - files_search_pids($1) - admin_pattern($1, { prelude_audisp_runtime_t prelude_runtime_t prelude_lml_runtime_t }) - - files_search_tmp($1) - admin_pattern($1, prelude_lml_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `prelude_admin'($*)) dnl - ') - -## A distributed, collaborative, spam detection and filtering network. - -####################################### -## -## The template to define a razor domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`razor_common_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `razor_common_domain_template'($*)) dnl - - gen_require(` - attribute razor_domain; - type razor_exec_t; - ') - - ######################################## - # - # Declarations - # - - type $1_t, razor_domain; - domain_type($1_t) - domain_entry_file($1_t, razor_exec_t) - - ######################################## - # - # Declarations - # - - auth_use_nsswitch($1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `razor_common_domain_template'($*)) dnl - ') - - -######################################## -## -## Role access for razor. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`razor_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `razor_role'($*)) dnl - - gen_require(` - attribute_role razor_roles; - type razor_t, razor_exec_t, razor_home_t; - type razor_tmp_t; - ') - - roleattribute $1 razor_roles; - - domtrans_pattern($2, razor_exec_t, razor_t) - - ps_process_pattern($2, razor_t) - allow $2 razor_t:process signal; - - allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `razor_role'($*)) dnl - ') - - -######################################## -## -## Execute razor in the system razor domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`razor_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `razor_domtrans'($*)) dnl - - gen_require(` - type system_razor_t, razor_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, razor_exec_t, system_razor_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `razor_domtrans'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## razor home content. -## -## -## -## Domain allowed access. -## -## -# - define(`razor_manage_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `razor_manage_home_content'($*)) dnl - - gen_require(` - type razor_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 razor_home_t:dir manage_dir_perms; - allow $1 razor_home_t:file manage_file_perms; - allow $1 razor_home_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `razor_manage_home_content'($*)) dnl - ') - - -######################################## -## -## Read razor lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`razor_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `razor_read_lib_files'($*)) dnl - - gen_require(` - type razor_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `razor_read_lib_files'($*)) dnl - ') - -## High-Throughput Computing System. - -####################################### -## -## The template to define a condor domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`condor_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `condor_domain_template'($*)) dnl - - gen_require(` - attribute condor_domain; - type condor_master_t; - ') - - ############################# - # - # Declarations - # - - type condor_$1_t, condor_domain; - type condor_$1_exec_t; - domain_type(condor_$1_t) - domain_entry_file(condor_$1_t, condor_$1_exec_t) - role system_r types condor_$1_t; - - ############################# - # - # Policy - # - - domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) - allow condor_master_t condor_$1_exec_t:file ioctl; - - auth_use_nsswitch(condor_$1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `condor_domain_template'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an condor environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`condor_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `condor_admin'($*)) dnl - - gen_require(` - attribute condor_domain; - type condor_initrc_exec_t, condor_log_t; - type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; - type condor_runtime_t, condor_startd_tmp_t, condor_conf_t; - ') - - allow $1 condor_domain:process { ptrace signal_perms }; - ps_process_pattern($1, condor_domain) - - init_startstop_service($1, $2, condor_domain, condor_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, condor_conf_t) - - logging_search_logs($1) - admin_pattern($1, condor_log_t) - - files_search_locks($1) - admin_pattern($1, condor_var_lock_t) - - files_search_var_lib($1) - admin_pattern($1, condor_var_lib_t) - - files_search_pids($1) - admin_pattern($1, condor_runtime_t) - - files_search_tmp($1) - admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `condor_admin'($*)) dnl - ') - -## Secure shell client and server policy. - -####################################### -## -## Basic SSH client template. -## -## -##

-## This template creates a derived domains which are used -## for ssh client sessions. A derived -## type is also created to protect the user ssh keys. -##

-##

-## This template was added for NX. -##

-## -## -## -## The prefix of the domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The type of the domain. -## -## -## -## -## The role associated with the user domain. -## -## -# - define(`ssh_basic_client_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_basic_client_template'($*)) dnl - - - gen_require(` - attribute ssh_server; - type ssh_exec_t, sshd_key_t, sshd_tmp_t; - ') - - ############################## - # - # Declarations - # - - type $1_ssh_t; - application_domain($1_ssh_t, ssh_exec_t) - role $3 types $1_ssh_t; - - type $1_ssh_home_t; - files_type($1_ssh_home_t) - - ############################## - # - # Client local policy - # - - allow $1_ssh_t self:capability { dac_override dac_read_search setgid setuid }; - allow $1_ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; - allow $1_ssh_t self:fd use; - allow $1_ssh_t self:fifo_file rw_fifo_file_perms; - allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_ssh_t self:shm create_shm_perms; - allow $1_ssh_t self:sem create_sem_perms; - allow $1_ssh_t self:msgq create_msgq_perms; - allow $1_ssh_t self:msg { send receive }; - allow $1_ssh_t self:tcp_socket create_stream_socket_perms; - - # for rsync - allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; - allow $1_ssh_t $2:unix_stream_socket connectto; - - # Read the ssh key file. - allow $1_ssh_t sshd_key_t:file read_file_perms; - - # Access the ssh temporary files. - allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms; - allow $1_ssh_t sshd_tmp_t:file manage_file_perms; - files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir }) - - # Transition from the domain to the derived domain. - domtrans_pattern($2, ssh_exec_t, $1_ssh_t) - - # inheriting stream sockets is needed for "ssh host command" as no pty - # is allocated - # cjp: should probably fix target to be an attribute for ssh servers - # or "regular" (not special like sshd_extern_t) servers - allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; - - # allow ps to show ssh - ps_process_pattern($2, $1_ssh_t) - - # user can manage the keys and config - manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - - # ssh client can manage the keys and config - manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) - read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) - - # ssh servers can read the user keys and config - allow ssh_server $1_ssh_home_t:dir list_dir_perms; - read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) - read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) - - kernel_read_kernel_sysctls($1_ssh_t) - kernel_read_system_state($1_ssh_t) - - corenet_all_recvfrom_unlabeled($1_ssh_t) - corenet_all_recvfrom_netlabel($1_ssh_t) - corenet_tcp_sendrecv_generic_if($1_ssh_t) - corenet_tcp_sendrecv_generic_node($1_ssh_t) - corenet_tcp_connect_ssh_port($1_ssh_t) - corenet_sendrecv_ssh_client_packets($1_ssh_t) - - dev_read_urand($1_ssh_t) - - fs_getattr_all_fs($1_ssh_t) - fs_search_auto_mountpoints($1_ssh_t) - - # run helper programs - needed eg for x11-ssh-askpass - corecmd_exec_shell($1_ssh_t) - corecmd_exec_bin($1_ssh_t) - - domain_use_interactive_fds($1_ssh_t) - - files_list_home($1_ssh_t) - files_read_usr_files($1_ssh_t) - files_read_etc_runtime_files($1_ssh_t) - files_read_etc_files($1_ssh_t) - files_read_var_files($1_ssh_t) - - auth_use_nsswitch($1_ssh_t) - - logging_send_syslog_msg($1_ssh_t) - logging_read_generic_logs($1_ssh_t) - - miscfiles_read_localization($1_ssh_t) - - seutil_read_config($1_ssh_t) - - optional_policy(` - kerberos_use($1_ssh_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_basic_client_template'($*)) dnl - ') - - -####################################### -## -## The template to define a ssh server. -## -## -##

-## This template creates a domains to be used for -## creating a ssh server. This is typically done -## to have multiple ssh servers of different sensitivities, -## such as for an internal network-facing ssh server, and -## a external network-facing ssh server. -##

-## -## -## -## The prefix of the server domain (e.g., sshd -## is the prefix for sshd_t). -## -## -# - define(`ssh_server_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_server_template'($*)) dnl - - gen_require(` - type sshd_exec_t, sshd_key_t; - ') - type $1_t, ssh_server; - auth_login_pgm_domain($1_t) - - type $1_devpts_t; - term_login_pty($1_devpts_t) - - type $1_runtime_t alias $1_var_run_t; - files_pid_file($1_runtime_t) - - type $1_tmpfs_t; - files_tmpfs_file($1_tmpfs_t) - - allow $1_t self:capability { chown dac_read_search fowner fsetid kill setgid setuid sys_chroot sys_nice sys_resource sys_tty_config }; - # net_admin is for SO_SNDBUFFORCE - dontaudit $1_t self:capability net_admin; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - # ssh agent connections: - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:shm create_shm_perms; - - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; - term_create_pty($1_t, $1_devpts_t) - - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) - - allow $1_t $1_runtime_t:dir search_dir_perms; - allow $1_t $1_runtime_t:file manage_file_perms; - files_pid_filetrans($1_t, $1_runtime_t, file) - - can_exec($1_t, sshd_exec_t) - - # Access key files - allow $1_t sshd_key_t:file read_file_perms; - - kernel_read_kernel_sysctls($1_t) - kernel_read_network_state($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_raw_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_generic_node($1_t) - corenet_raw_sendrecv_generic_node($1_t) - corenet_tcp_bind_generic_node($1_t) - corenet_udp_bind_generic_node($1_t) - corenet_tcp_bind_ssh_port($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_ssh_server_packets($1_t) - - fs_dontaudit_getattr_all_fs($1_t) - - auth_rw_login_records($1_t) - auth_rw_faillog($1_t) - - # for sshd subsystems, such as sftp-server. - corecmd_getattr_bin_files($1_t) - - domain_interactive_fd($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_read_usr_files($1_t) - - logging_search_logs($1_t) - - miscfiles_read_localization($1_t) - - userdom_create_all_users_keys($1_t) - userdom_dontaudit_relabelfrom_user_ptys($1_t) - userdom_search_user_home_dirs($1_t) - - # Allow checking users mail at login - optional_policy(` - mta_getattr_spool($1_t) - ') - - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_t) - fs_read_nfs_symlinks($1_t) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files($1_t) - ') - - optional_policy(` - kerberos_use($1_t) - kerberos_manage_host_rcache($1_t) - ') - - optional_policy(` - files_read_var_lib_symlinks($1_t) - nx_spec_domtrans_server($1_t) - ') - - optional_policy(` - systemd_read_logind_sessions_files($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_server_template'($*)) dnl - ') - - -######################################## -## -## Role access for ssh -## -## -## -## The prefix of the role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`ssh_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_role_template'($*)) dnl - - gen_require(` - attribute ssh_server, ssh_agent_type; - - type ssh_t, ssh_exec_t, ssh_home_t, ssh_agent_exec_t; - type ssh_agent_tmp_t; - ') - - ############################## - # - # Declarations - # - - role $2 types ssh_t; - - type $1_ssh_agent_t, ssh_agent_type; - userdom_user_application_domain($1_ssh_agent_t, ssh_agent_exec_t) - domain_interactive_fd($1_ssh_agent_t) - role $2 types $1_ssh_agent_t; - - ############################## - # - # Local policy - # - - # Transition from the domain to the derived domain. - domtrans_pattern($3, ssh_exec_t, ssh_t) - - # inheriting stream sockets is needed for "ssh host command" as no pty - # is allocated - allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms; - - # allow ps to show ssh - ps_process_pattern($3, ssh_t) - allow $3 ssh_t:process signal; - - # for rsync - allow ssh_t $3:unix_stream_socket rw_socket_perms; - allow ssh_t $3:unix_stream_socket connectto; - allow ssh_t $3:key manage_key_perms; - - # user can manage the keys and config - manage_files_pattern($3, ssh_home_t, ssh_home_t) - manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) - manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) - userdom_search_user_home_dirs($1_t) - - ############################## - # - # SSH agent local policy - # - - allow $1_ssh_agent_t self:process { setrlimit signal }; - allow $1_ssh_agent_t self:capability setgid; - allow $1_ssh_agent_t self:fifo_file rw_file_perms; - - allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; - - allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; - - manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) - manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) - files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file }) - - # for ssh-add - stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) - - # Allow the user shell to signal the ssh program. - allow $3 $1_ssh_agent_t:process signal; - - # allow ps to show ssh - ps_process_pattern($3, $1_ssh_agent_t) - - domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) - - kernel_read_kernel_sysctls($1_ssh_agent_t) - - dev_read_urand($1_ssh_agent_t) - dev_read_rand($1_ssh_agent_t) - - fs_search_auto_mountpoints($1_ssh_agent_t) - - # transition back to normal privs upon exec - corecmd_shell_domtrans($1_ssh_agent_t, $3) - corecmd_bin_domtrans($1_ssh_agent_t, $3) - - domain_use_interactive_fds($1_ssh_agent_t) - - files_read_etc_files($1_ssh_agent_t) - files_read_etc_runtime_files($1_ssh_agent_t) - files_search_home($1_ssh_agent_t) - - libs_read_lib_files($1_ssh_agent_t) - - logging_send_syslog_msg($1_ssh_agent_t) - - miscfiles_read_localization($1_ssh_agent_t) - miscfiles_read_generic_certs($1_ssh_agent_t) - - seutil_dontaudit_read_config($1_ssh_agent_t) - - # Write to the user domain tty. - userdom_use_user_terminals($1_ssh_agent_t) - - # for the transition back to normal privs upon exec - userdom_search_user_home_content($1_ssh_agent_t) - userdom_user_home_domtrans($1_ssh_agent_t, $3) - allow $3 $1_ssh_agent_t:fd use; - allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; - allow $3 $1_ssh_agent_t:process sigchld; - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_ssh_agent_t) - - # transition back to normal privs upon exec - fs_nfs_domtrans($1_ssh_agent_t, $3) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_ssh_agent_t) - - # transition back to normal privs upon exec - fs_cifs_domtrans($1_ssh_agent_t, $3) - ') - - optional_policy(` - nis_use_ypbind($1_ssh_agent_t) - ') - - optional_policy(` - tunable_policy(`ssh_use_gpg_agent',` - # for ssh-add - gpg_stream_connect_agent($3) - ') - ') - - optional_policy(` - xserver_use_xdm_fds($1_ssh_agent_t) - xserver_rw_xdm_pipes($1_ssh_agent_t) - xserver_sigchld_xdm($1_ssh_agent_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_role_template'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to the ssh server. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_sigchld'($*)) dnl - - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_sigchld'($*)) dnl - ') - - -######################################## -## -## Send a generic signal to the ssh server. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_signal'($*)) dnl - - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_signal'($*)) dnl - ') - - -######################################## -## -## Send a null signal to sshd processes. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_signull'($*)) dnl - - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_signull'($*)) dnl - ') - - -######################################## -## -## Read a ssh server unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_read_pipes'($*)) dnl - - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:fifo_file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_read_pipes'($*)) dnl - ') - -######################################## -## -## Read and write a ssh server unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_rw_pipes'($*)) dnl - - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:fifo_file { write read getattr ioctl }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write ssh server unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_rw_stream_sockets'($*)) dnl - - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write ssh server TCP sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_rw_tcp_sockets'($*)) dnl - - gen_require(` - type sshd_t; - ') - - allow $1 sshd_t:tcp_socket rw_stream_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## ssh server TCP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`ssh_dontaudit_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_rw_tcp_sockets'($*)) dnl - - gen_require(` - type sshd_t; - ') - - dontaudit $1 sshd_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_dontaudit_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Execute the ssh daemon in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_exec_sshd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_exec_sshd'($*)) dnl - - gen_require(` - type sshd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, sshd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_exec_sshd'($*)) dnl - ') - - -######################################## -## -## Execute the ssh daemon sshd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ssh_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_domtrans'($*)) dnl - - gen_require(` - type sshd_t, sshd_exec_t; - ') - - domtrans_pattern($1, sshd_exec_t, sshd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the ssh client in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_exec'($*)) dnl - - gen_require(` - type ssh_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ssh_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_exec'($*)) dnl - ') - - -######################################## -## -## Set the attributes of sshd key files. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_setattr_key_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_setattr_key_files'($*)) dnl - - gen_require(` - type sshd_key_t; - ') - - allow $1 sshd_key_t:file setattr; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_setattr_key_files'($*)) dnl - ') - - -######################################## -## -## Execute the ssh agent client in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_agent_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_agent_exec'($*)) dnl - - gen_require(` - type ssh_agent_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ssh_agent_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_agent_exec'($*)) dnl - ') - - -######################################## -## -## Read ssh home directory content -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_read_user_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_read_user_home_files'($*)) dnl - - gen_require(` - type ssh_home_t; - ') - - allow $1 ssh_home_t:dir list_dir_perms; - read_files_pattern($1, ssh_home_t, ssh_home_t) - read_lnk_files_pattern($1, ssh_home_t, ssh_home_t) - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_read_user_home_files'($*)) dnl - ') - - -######################################## -## -## Execute the ssh key generator in the ssh keygen domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ssh_domtrans_keygen',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_domtrans_keygen'($*)) dnl - - gen_require(` - type ssh_keygen_t, ssh_keygen_exec_t; - ') - - domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_domtrans_keygen'($*)) dnl - ') - - -######################################## -## -## Read ssh server keys -## -## -## -## Domain to not audit. -## -## -# - define(`ssh_dontaudit_read_server_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_read_server_keys'($*)) dnl - - gen_require(` - type sshd_key_t; - ') - - dontaudit $1 sshd_key_t:file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_dontaudit_read_server_keys'($*)) dnl - ') - - -###################################### -## -## Manage ssh home directory content -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_manage_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_manage_home_files'($*)) dnl - - gen_require(` - type ssh_home_t; - ') - - manage_files_pattern($1, ssh_home_t, ssh_home_t) - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_manage_home_files'($*)) dnl - ') - - -####################################### -## -## Delete from the ssh temp files. -## -## -## -## Domain allowed access. -## -## -# - define(`ssh_delete_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ssh_delete_tmp'($*)) dnl - - gen_require(` - type sshd_tmp_t; - ') - - files_search_tmp($1) - delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ssh_delete_tmp'($*)) dnl - ') - -## Milter mail filters. - -####################################### -## -## The template to define a milter domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`milter_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `milter_template'($*)) dnl - - gen_require(` - attribute milter_data_type, milter_domains; - ') - - ######################################## - # - # Declarations - # - - type $1_milter_t, milter_domains; - type $1_milter_exec_t; - init_daemon_domain($1_milter_t, $1_milter_exec_t) - - type $1_milter_data_t, milter_data_type; - files_pid_file($1_milter_data_t) - - ######################################## - # - # Policy - # - - manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - - auth_use_nsswitch($1_milter_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `milter_template'($*)) dnl - ') - - -######################################## -## -## connect to all milter domains using -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`milter_stream_connect_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `milter_stream_connect_all'($*)) dnl - - gen_require(` - attribute milter_data_type, milter_domains; - ') - - files_search_pids($1) - stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `milter_stream_connect_all'($*)) dnl - ') - - -######################################## -## -## Get attributes of all milter sock files. -## -## -## -## Domain allowed access. -## -## -# - define(`milter_getattr_all_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `milter_getattr_all_sockets'($*)) dnl - - gen_require(` - attribute milter_data_type; - ') - - getattr_sock_files_pattern($1, milter_data_type, milter_data_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `milter_getattr_all_sockets'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## spamassissin milter data content. -## -## -## -## Domain allowed access. -## -## -# - define(`milter_manage_spamass_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `milter_manage_spamass_state'($*)) dnl - - gen_require(` - type spamass_milter_state_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `milter_manage_spamass_state'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the spamassissin milter data dir. -## -## -## -## Domain allowed access. -## -## -# - define(`milter_getattr_data_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `milter_getattr_data_dir'($*)) dnl - - gen_require(` - type spamass_milter_data_t; - ') - - allow $1 spamass_milter_data_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `milter_getattr_data_dir'($*)) dnl - ') - -## PostgreSQL relational database - -####################################### -## -## Role access for SE-PostgreSQL. -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`postgresql_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_role'($*)) dnl - - gen_require(` - class db_database all_db_database_perms; - class db_schema all_db_schema_perms; - class db_table all_db_table_perms; - class db_sequence all_db_sequence_perms; - class db_view all_db_view_perms; - class db_procedure all_db_procedure_perms; - class db_language all_db_language_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type, sepgsql_database_type; - attribute sepgsql_schema_type, sepgsql_sysobj_table_type; - - type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; - type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t; - type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; - type user_sepgsql_schema_t, user_sepgsql_seq_t; - type user_sepgsql_sysobj_t, user_sepgsql_table_t; - type user_sepgsql_view_t; - type sepgsql_temp_object_t; - ') - - ######################################## - # - # Declarations - # - - typeattribute $2 sepgsql_client_type; - role $1 types sepgsql_trusted_proc_t; - role $1 types sepgsql_ranged_proc_t; - - ############################## - # - # Client local policy - # - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; - allow $2 user_sepgsql_table_t:db_column { create drop setattr }; - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; - allow $2 user_sepgsql_view_t:db_view { create drop setattr }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - - allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; - type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; - type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - - allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; - type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; - - allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - - allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; - type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; - - allow $2 user_sepgsql_view_t:db_view { getattr expand }; - type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; - - allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; - - allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; - - allow $2 sepgsql_ranged_proc_t:process transition; - type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; - allow sepgsql_ranged_proc_t $2:process dyntransition; - - allow $2 sepgsql_trusted_proc_t:process transition; - type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_role'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL loadable shared library module -## -## -## -## Type marked as a database object type. -## -## -# - define(`postgresql_loadable_module',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_loadable_module'($*)) dnl - - gen_require(` - attribute sepgsql_module_type; - ') - - typeattribute $1 sepgsql_module_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_loadable_module'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL database object type -## -## -## -## Type marked as a database object type. -## -## -# - define(`postgresql_database_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_database_object'($*)) dnl - - gen_require(` - attribute sepgsql_database_type; - ') - - typeattribute $1 sepgsql_database_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_database_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL schema object type -## -## -## -## Type marked as a schema object type. -## -## -# - define(`postgresql_schema_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_schema_object'($*)) dnl - - gen_require(` - attribute sepgsql_schema_type; - ') - - typeattribute $1 sepgsql_schema_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_schema_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL table/column/tuple object type -## -## -## -## Type marked as a table/column/tuple object type. -## -## -# - define(`postgresql_table_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_table_object'($*)) dnl - - gen_require(` - attribute sepgsql_table_type; - ') - - typeattribute $1 sepgsql_table_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_table_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL system table/column/tuple object type -## -## -## -## Type marked as a table/column/tuple object type. -## -## -# - define(`postgresql_system_table_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_system_table_object'($*)) dnl - - gen_require(` - attribute sepgsql_table_type, sepgsql_sysobj_table_type; - ') - - typeattribute $1 sepgsql_table_type; - typeattribute $1 sepgsql_sysobj_table_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_system_table_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL sequence type -## -## -## -## Type marked as a sequence type. -## -## -# - define(`postgresql_sequence_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_sequence_object'($*)) dnl - - gen_require(` - attribute sepgsql_sequence_type; - ') - - typeattribute $1 sepgsql_sequence_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_sequence_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL view object type -## -## -## -## Type marked as a view object type. -## -## -# - define(`postgresql_view_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_view_object'($*)) dnl - - gen_require(` - attribute sepgsql_view_type; - ') - - typeattribute $1 sepgsql_view_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_view_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL procedure object type -## -## -## -## Type marked as a procedure object type. -## -## -# - define(`postgresql_procedure_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_procedure_object'($*)) dnl - - gen_require(` - attribute sepgsql_procedure_type; - ') - - typeattribute $1 sepgsql_procedure_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_procedure_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL trusted procedure object type -## -## -## -## Type marked as a trusted procedure object type. -## -## -# - define(`postgresql_trusted_procedure_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_trusted_procedure_object'($*)) dnl - - gen_require(` - attribute sepgsql_procedure_type; - attribute sepgsql_trusted_procedure_type; - ') - - typeattribute $1 sepgsql_procedure_type; - typeattribute $1 sepgsql_trusted_procedure_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_trusted_procedure_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL procedural language object type -## -## -## -## Type marked as a procedural language object type. -## -## -# - define(`postgresql_language_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_language_object'($*)) dnl - - gen_require(` - attribute sepgsql_language_type; - ') - - typeattribute $1 sepgsql_language_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_language_object'($*)) dnl - ') - - -######################################## -## -## Marks as a SE-PostgreSQL binary large object type -## -## -## -## Type marked as a database binary large object type. -## -## -# - define(`postgresql_blob_object',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_blob_object'($*)) dnl - - gen_require(` - attribute sepgsql_blob_type; - ') - - typeattribute $1 sepgsql_blob_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_blob_object'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to search postgresql's database directory. -## -## -## -## Domain allowed access. -## -## -# - define(`postgresql_search_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_search_db'($*)) dnl - - gen_require(` - type postgresql_db_t; - ') - - allow $1 postgresql_db_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_search_db'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to manage postgresql's database. -## -## -## -## Domain allowed access. -## -## - define(`postgresql_manage_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_manage_db'($*)) dnl - - gen_require(` - type postgresql_db_t; - ') - - allow $1 postgresql_db_t:dir rw_dir_perms; - allow $1 postgresql_db_t:file rw_file_perms; - allow $1 postgresql_db_t:lnk_file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_manage_db'($*)) dnl - ') - - -####################################### -## -## Execute postgresql in the calling domain. -## -## -## -## Domain allowed access -## -## -# - define(`postgresql_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_exec'($*)) dnl - - gen_require(` - type postgresql_exec_t; - ') - - can_exec($1, postgresql_exec_t); - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_exec'($*)) dnl - ') - - -######################################## -## -## Execute postgresql in the postgresql domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`postgresql_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_domtrans'($*)) dnl - - gen_require(` - type postgresql_t, postgresql_exec_t; - ') - - domtrans_pattern($1, postgresql_exec_t, postgresql_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_domtrans'($*)) dnl - ') - - -###################################### -## -## Allow domain to signal postgresql -## -## -## -## Domain allowed access. -## -## -# - define(`postgresql_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_signal'($*)) dnl - - gen_require(` - type postgresql_t; - ') - allow $1 postgresql_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_signal'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to read postgresql's etc. -## -## -## -## Domain allowed access. -## -## -## -# - define(`postgresql_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_read_config'($*)) dnl - - gen_require(` - type postgresql_etc_t; - ') - - files_search_etc($1) - allow $1 postgresql_etc_t:dir list_dir_perms; - allow $1 postgresql_etc_t:file read_file_perms; - allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_read_config'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to connect to postgresql with a tcp socket. -## -## -## -## Domain allowed access. -## -## -# - define(`postgresql_tcp_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_tcp_connect'($*)) dnl - - gen_require(` - type postgresql_t; - ') - - corenet_tcp_recvfrom_labeled($1, postgresql_t) - corenet_tcp_connect_postgresql_port($1) - corenet_sendrecv_postgresql_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_tcp_connect'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to connect to postgresql with a unix socket. -## -## -## -## Domain allowed access. -## -## -## -# - define(`postgresql_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_stream_connect'($*)) dnl - - gen_require(` - type postgresql_t, postgresql_runtime_t, postgresql_tmp_t; - ') - - stream_connect_pattern($1, { postgresql_runtime_t postgresql_tmp_t }, { postgresql_runtime_t postgresql_tmp_t }, postgresql_t) - - files_search_pids($1) - files_search_tmp($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_stream_connect'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain unprivileged accesses to unifined database objects -## managed by SE-PostgreSQL, -## -## -## -## Domain allowed access. -## -## -# - define(`postgresql_unpriv_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_unpriv_client'($*)) dnl - - gen_require(` - class db_database all_db_database_perms; - class db_schema all_db_schema_perms; - class db_table all_db_table_perms; - class db_sequence all_db_sequence_perms; - class db_view all_db_view_perms; - class db_procedure all_db_procedure_perms; - class db_language all_db_language_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type; - attribute sepgsql_database_type, sepgsql_schema_type; - attribute sepgsql_sysobj_table_type; - - type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t; - type sepgsql_temp_object_t; - type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; - type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; - type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; - type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; - type unpriv_sepgsql_view_t; - ') - - ######################################## - # - # Declarations - # - - typeattribute $1 sepgsql_client_type; - - ######################################## - # - # Client local policy - # - - type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; - allow $1 sepgsql_ranged_proc_t:process transition; - allow sepgsql_ranged_proc_t $1:process dyntransition; - - type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - allow $1 sepgsql_trusted_proc_t:process transition; - - allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; - - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; - - allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; - type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; - type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - - allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; - type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; - - allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; - type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; - - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; - - allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; - type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; - - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; - allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; - allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_unpriv_client'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain unconfined accesses to any database objects -## managed by SE-PostgreSQL, -## -## -## -## Domain allowed access. -## -## -# - define(`postgresql_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_unconfined'($*)) dnl - - gen_require(` - attribute sepgsql_unconfined_type; - ') - - typeattribute $1 sepgsql_unconfined_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_unconfined'($*)) dnl - ') - - -######################################## -## -## All of the rules required to administrate an postgresql environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the postgresql domain. -## -## -## -# - define(`postgresql_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgresql_admin'($*)) dnl - - gen_require(` - attribute sepgsql_admin_type; - - type postgresql_t, postgresql_runtime_t; - type postgresql_tmp_t, postgresql_db_t; - type postgresql_etc_t, postgresql_log_t; - type postgresql_initrc_exec_t, postgresql_unit_t; - ') - - typeattribute $1 sepgsql_admin_type; - - allow $1 postgresql_t:process { ptrace signal_perms }; - ps_process_pattern($1, postgresql_t) - - init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t) - - admin_pattern($1, postgresql_runtime_t) - - admin_pattern($1, postgresql_db_t) - - admin_pattern($1, postgresql_etc_t) - - admin_pattern($1, postgresql_log_t) - - admin_pattern($1, postgresql_tmp_t) - - postgresql_tcp_connect($1) - postgresql_stream_connect($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgresql_admin'($*)) dnl - ') - -## Telnet daemon. - -######################################## -## -## Read and write telnetd pty devices. -## -## -## -## Domain allowed access. -## -## -# - define(`telnet_use_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `telnet_use_ptys'($*)) dnl - - gen_require(` - type telnetd_devpts_t; - ') - - term_list_ptys($1) - allow $1 telnetd_devpts_t:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `telnet_use_ptys'($*)) dnl - ') - -## Network router discovery daemon. - -###################################### -## -## Execute rdisc in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`rdisc_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rdisc_exec'($*)) dnl - - gen_require(` - type rdisc_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rdisc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rdisc_exec'($*)) dnl - ') - -## Remote-mail retrieval and forwarding utility. - -######################################## -## -## All of the rules required to -## administrate an fetchmail environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`fetchmail_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fetchmail_admin'($*)) dnl - - gen_require(` - type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; - type fetchmail_runtime_t, fetchmail_initrc_exec_t, fetchmail_log_t; - ') - - init_startstop_service($1, $2, fetchmail_t, fetchmail_initrc_exec_t) - - allow $1 fetchmail_t:process { ptrace signal_perms }; - ps_process_pattern($1, fetchmail_t) - - files_list_etc($1) - admin_pattern($1, fetchmail_etc_t) - - files_search_var_lib($1) - admin_pattern($1, fetchmail_uidl_cache_t) - - files_list_pids($1) - admin_pattern($1, fetchmail_runtime_t) - - logging_search_logs($1) - admin_pattern($1, fetchmail_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fetchmail_admin'($*)) dnl - ') - -## Watchdog multiplexing daemon. - -######################################## -## -## Connect to wdmd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`wdmd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wdmd_stream_connect'($*)) dnl - - gen_require(` - type wdmd_t, wdmd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, wdmd_runtime_t, wdmd_runtime_t, wdmd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wdmd_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an wdmd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`wdmd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wdmd_admin'($*)) dnl - - gen_require(` - type wdmd_t, wdmd_initrc_exec_t, wdmd_runtime_t; - ') - - allow $1 wdmd_t:process { ptrace signal_perms }; - ps_process_pattern($1, wdmd_t) - - init_startstop_service($1, $2, wdmd_t, wdmd_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, wdmd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wdmd_admin'($*)) dnl - ') - -## X Windows Server - -######################################## -## -## Rules required for using the X Windows server -## and environment, for restricted users. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_restricted_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_restricted_role'($*)) dnl - - gen_require(` - type xserver_t, xserver_tmp_t, xserver_tmpfs_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type iceauth_t, iceauth_exec_t, iceauth_home_t; - type xauth_t, xauth_exec_t, xauth_home_t; - type xdm_t, xdm_tmp_t; - ') - - role $1 types { xserver_t xauth_t iceauth_t }; - - # Xserver read/write client shm - allow xserver_t $2:fd use; - allow xserver_t $2:shm rw_shm_perms; - - allow xserver_t $2:process signal; - - allow xserver_t $2:shm rw_shm_perms; - - allow $2 user_fonts_t:dir list_dir_perms; - allow $2 user_fonts_t:file read_file_perms; - - allow $2 user_fonts_config_t:dir list_dir_perms; - allow $2 user_fonts_config_t:file read_file_perms; - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - - stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) - files_search_tmp($2) - - # Communicate via System V shared memory. - allow $2 xserver_t:shm r_shm_perms; - allow $2 xserver_tmpfs_t:file read_file_perms; - - # allow ps to show iceauth - ps_process_pattern($2, iceauth_t) - - domtrans_pattern($2, iceauth_exec_t, iceauth_t) - - allow $2 iceauth_home_t:file read_file_perms; - - domtrans_pattern($2, xauth_exec_t, xauth_t) - - allow $2 xauth_t:process signal; - - # allow ps to show xauth - ps_process_pattern($2, xauth_t) - allow $2 xserver_t:process signal; - - allow $2 xauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search; - allow $2 xdm_tmp_t:sock_file { read write }; - dontaudit $2 xdm_t:tcp_socket { read write }; - - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - - # Read /tmp/.X0-lock - allow $2 xserver_tmp_t:file { getattr read }; - - dev_rw_xserver_misc($2) - dev_map_xserver_misc($2) - dev_rw_power_management($2) - dev_read_input($2) - dev_read_misc($2) - dev_write_misc($2) - # open office is looking for the following - dev_getattr_agp_dev($2) - dev_dontaudit_rw_dri($2) - # GNOME checks for usb and other devices: - dev_rw_usbfs($2) - - miscfiles_read_fonts($2) - - xserver_common_x_domain_template(user, $2) - xserver_domtrans($2) - xserver_unconfined($2) - xserver_xsession_entry_type($2) - xserver_dontaudit_write_log($2) - xserver_stream_connect_xdm($2) - # certain apps want to read xdm.pid file - xserver_read_xdm_pid($2) - # gnome-session creates socket under /tmp/.ICE-unix/ - xserver_create_xdm_tmp_sockets($2) - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($2) - - # for the .xsession-errors log file - xserver_user_home_dir_filetrans_user_xsession_log($2) - xserver_manage_xsession_log($2) - - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_restricted_role'($*)) dnl - ') - - -######################################## -## -## Rules required for using the X Windows server -## and environment. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_role'($*)) dnl - - gen_require(` - type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type mesa_shader_cache_t; - ') - - xserver_restricted_role($1, $2) - - # Communicate via System V shared memory. - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - - # XCB Event Queue: used by the Qt library for example - allow $2 xserver_tmp_t:file rw_file_perms; - - allow $2 iceauth_home_t:file manage_file_perms; - allow $2 iceauth_home_t:file { relabelfrom relabelto }; - - allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; - - manage_dirs_pattern($2, user_fonts_t, user_fonts_t) - manage_files_pattern($2, user_fonts_t, user_fonts_t) - relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) - relabel_files_pattern($2, user_fonts_t, user_fonts_t) - - manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - - manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - - manage_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) - manage_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) - allow $2 mesa_shader_cache_t:file map; - relabel_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) - relabel_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t) - - xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority") - - xserver_read_xkb_libs($2) - - optional_policy(` - xdg_manage_all_cache($2) - xdg_relabel_all_cache($2) - xdg_manage_all_config($2) - xdg_relabel_all_config($2) - xdg_manage_all_data($2) - xdg_relabel_all_data($2) - - xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache") - xdg_generic_user_home_dir_filetrans_config($2, dir, ".config") - xdg_generic_user_home_dir_filetrans_data($2, dir, ".local") - - xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents") - xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads") - xdg_generic_user_home_dir_filetrans_music($2, dir, "Music") - xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures") - xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos") - - xdg_manage_documents($2) - xdg_relabel_documents($2) - xdg_manage_downloads($2) - xdg_relabel_downloads($2) - xdg_manage_music($2) - xdg_relabel_music($2) - xdg_manage_pictures($2) - xdg_relabel_pictures($2) - xdg_manage_videos($2) - xdg_relabel_videos($2) - - xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache") - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_role'($*)) dnl - ') - - -####################################### -## -## Create sessions on the X server, with read-only -## access to the X server shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the domain SYSV tmpfs files. -## -## -# - define(`xserver_ro_session',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_ro_session'($*)) dnl - - gen_require(` - type xserver_t, xserver_tmp_t, xserver_tmpfs_t; - ') - - # Xserver read/write client shm - allow xserver_t $1:fd use; - allow xserver_t $1:shm rw_shm_perms; - allow xserver_t $2:file { rw_file_perms map }; - - # Connect to xserver - allow $1 xserver_t:unix_stream_socket connectto; - allow $1 xserver_t:process signal; - - # Read /tmp/.X0-lock - allow $1 xserver_tmp_t:file { getattr read }; - - # Client read xserver shm - allow $1 xserver_t:fd use; - allow $1 xserver_t:shm r_shm_perms; - allow $1 xserver_tmpfs_t:file read_file_perms; - - allow $1 $2:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_ro_session'($*)) dnl - ') - - -####################################### -## -## Create sessions on the X server, with read and write -## access to the X server shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the domain SYSV tmpfs files. -## -## -# - define(`xserver_rw_session',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_rw_session'($*)) dnl - - gen_require(` - type xserver_t, xserver_tmpfs_t; - ') - - xserver_ro_session($1,$2) - allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_rw_session'($*)) dnl - ') - - -####################################### -## -## Create non-drawing client sessions on an X server. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_non_drawing_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_non_drawing_client'($*)) dnl - - gen_require(` - class x_drawable { getattr get_property }; - class x_extension { query use }; - class x_gc { create setattr }; - class x_property read; - - type xserver_t, xdm_var_run_t; - type xextension_t, xproperty_t, root_xdrawable_t; - ') - - allow $1 self:x_gc { create setattr }; - - allow $1 xdm_var_run_t:dir search; - allow $1 xserver_t:unix_stream_socket connectto; - - allow $1 xextension_t:x_extension { query use }; - allow $1 root_xdrawable_t:x_drawable { getattr get_property }; - allow $1 xproperty_t:x_property read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_non_drawing_client'($*)) dnl - ') - - -####################################### -## -## Interface to provide X object permissions on a given X server to -## an X client domain. Provides the minimal set required by a basic -## X client application. -## -## -## -## The prefix of the X client domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Client domain allowed access. -## -## -# - define(`xserver_common_x_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_common_x_domain_template'($*)) dnl - - gen_require(` - type root_xdrawable_t; - type xevent_t, client_xevent_t; - type input_xevent_t, $1_input_xevent_t; - - attribute x_domain; - attribute xdrawable_type, xcolormap_type; - attribute input_xevent_type; - - class x_drawable all_x_drawable_perms; - class x_property all_x_property_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; - ') - - ############################## - # - # Local Policy - # - - # Type attributes - typeattribute $2 x_domain; - typeattribute $2 xdrawable_type, xcolormap_type; - - # X Properties - # disable property transitions for the time being. -# type_transition $2 xproperty_t:x_property $1_xproperty_t; - - # X Windows - # new windows have the domain type - type_transition $2 root_xdrawable_t:x_drawable $2; - - # X Input - # distinguish input events - type_transition $2 input_xevent_t:x_event $1_input_xevent_t; - # can send own events - allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send; - # can receive own events - allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; - # can receive default events - allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 xevent_t:{ x_event x_synthetic_event } receive; - # dont audit send failures - dontaudit $2 input_xevent_type:x_event send; - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_common_x_domain_template'($*)) dnl - ') - - -####################################### -## -## Template for creating the set of types used -## in an X windows domain. -## -## -## -## The prefix of the X client domain (e.g., user -## is the prefix for user_t). -## -## -# - define(`xserver_object_types_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_object_types_template'($*)) dnl - - gen_require(` - attribute xproperty_type, input_xevent_type, xevent_type; - ') - - ############################## - # - # Declarations - # - - # Types for properties - type $1_xproperty_t, xproperty_type; - ubac_constrained($1_xproperty_t) - - # Types for events - type $1_input_xevent_t, input_xevent_type, xevent_type; - ubac_constrained($1_input_xevent_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_object_types_template'($*)) dnl - ') - - -####################################### -## -## Interface to provide X object permissions on a given X server to -## an X client domain. Provides the minimal set required by a basic -## X client application. -## -## -## -## The prefix of the X client domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## Client domain allowed access. -## -## -## -## -## The type of the domain SYSV tmpfs files. -## -## -# - define(`xserver_user_x_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_user_x_domain_template'($*)) dnl - - gen_require(` - type xdm_t, xdm_tmp_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; - ') - - allow $2 self:shm create_shm_perms; - allow $2 self:unix_dgram_socket create_socket_perms; - allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file - allow $2 xauth_home_t:file read_file_perms; - allow $2 iceauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; - dontaudit $2 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. - files_search_tmp($2) - - miscfiles_read_fonts($2) - - userdom_search_user_home_dirs($2) - # for .xsession-errors - xserver_rw_xsession_log($2) - - xserver_ro_session($2,$3) - xserver_use_user_fonts($2) - - xserver_read_xdm_tmp_files($2) - - # X object manager - xserver_object_types_template($1) - xserver_common_x_domain_template($1,$2) - - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_user_x_domain_template'($*)) dnl - ') - - -######################################## -## -## Read user fonts, user font configuration, -## and manage the user font cache. -## -## -##

-## Read user fonts, user font configuration, -## and manage the user font cache. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`xserver_use_user_fonts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_use_user_fonts'($*)) dnl - - gen_require(` - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - ') - - # Read per user fonts - allow $1 user_fonts_t:dir list_dir_perms; - allow $1 user_fonts_t:file { map read_file_perms }; - - # Manipulate the global font cache - manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) - manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) - allow $1 user_fonts_cache_t:file { map read_file_perms }; - - # Read per user font config - allow $1 user_fonts_config_t:dir list_dir_perms; - allow $1 user_fonts_config_t:file read_file_perms; - - userdom_search_user_home_dirs($1) - xdg_search_cache_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_use_user_fonts'($*)) dnl - ') - - -######################################## -## -## Transition to the Xauthority domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`xserver_domtrans_xauth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_domtrans_xauth'($*)) dnl - - gen_require(` - type xauth_t, xauth_exec_t; - ') - - domtrans_pattern($1, xauth_exec_t, xauth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_domtrans_xauth'($*)) dnl - ') - - -######################################## -## -## Create a Xauthority file in the user home directory. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`xserver_user_home_dir_filetrans_user_xauth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_user_home_dir_filetrans_user_xauth'($*)) dnl - - gen_require(` - type xauth_home_t; - ') - - userdom_user_home_dir_filetrans($1, xauth_home_t, file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_user_home_dir_filetrans_user_xauth'($*)) dnl - ') - - -####################################### -## -## Create a ICEauthority file in -## the user home directory. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`xserver_user_home_dir_filetrans_user_iceauth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_user_home_dir_filetrans_user_iceauth'($*)) dnl - - gen_require(` - type iceauth_home_t; - ') - - userdom_user_home_dir_filetrans($1, iceauth_home_t, file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_user_home_dir_filetrans_user_iceauth'($*)) dnl - ') - - -######################################## -## -## Create a .xsession-errors log -## file in the user home directory. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_user_home_dir_filetrans_user_xsession_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_user_home_dir_filetrans_user_xsession_log'($*)) dnl - - gen_require(` - type xsession_log_t; - ') - - userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_user_home_dir_filetrans_user_xsession_log'($*)) dnl - ') - - -######################################## -## -## Read all users .Xauthority. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_user_xauth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_user_xauth'($*)) dnl - - gen_require(` - type xauth_home_t; - ') - - allow $1 xauth_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_user_xauth'($*)) dnl - ') - - -######################################## -## -## Read all users .dmrc. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_user_dmrc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_user_dmrc'($*)) dnl - - gen_require(` - type dmrc_home_t; - ') - - allow $1 dmrc_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_user_dmrc'($*)) dnl - ') - - -######################################## -## -## Read all users .ICEauthority. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_user_iceauth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_user_iceauth'($*)) dnl - - gen_require(` - type iceauth_home_t; - ') - - allow $1 iceauth_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_user_iceauth'($*)) dnl - ') - - -######################################## -## -## Set the attributes of the X windows console named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_setattr_console_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_setattr_console_pipes'($*)) dnl - - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_setattr_console_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write the X windows console named pipe. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_rw_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_rw_console'($*)) dnl - - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_rw_console'($*)) dnl - ') - - -######################################## -## -## Create the X windows console named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_create_console_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_create_console_pipes'($*)) dnl - - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file create; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_create_console_pipes'($*)) dnl - ') - - -######################################## -## -## relabel the X windows console named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_relabel_console_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_relabel_console_pipes'($*)) dnl - - gen_require(` - type xconsole_device_t; - ') - - allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_relabel_console_pipes'($*)) dnl - ') - - -######################################## -## -## Use file descriptors for xdm. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_use_xdm_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_use_xdm_fds'($*)) dnl - - gen_require(` - type xdm_t; - ') - - allow $1 xdm_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_use_xdm_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit -## XDM file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`xserver_dontaudit_use_xdm_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_use_xdm_fds'($*)) dnl - - gen_require(` - type xdm_t; - ') - - dontaudit $1 xdm_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dontaudit_use_xdm_fds'($*)) dnl - ') - - -######################################## -## -## Allow domain to send sigchld to xdm_t -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_sigchld_xdm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_sigchld_xdm'($*)) dnl - - gen_require(` - type xdm_t; - ') - - allow $1 xdm_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_sigchld_xdm'($*)) dnl - ') - - -######################################## -## -## Read and write XDM unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_rw_xdm_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_pipes'($*)) dnl - - gen_require(` - type xdm_t; - ') - - allow $1 xdm_t:fifo_file { getattr read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## XDM unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`xserver_dontaudit_rw_xdm_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_xdm_pipes'($*)) dnl - - - gen_require(` - type xdm_t; - ') - - dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_xdm_pipes'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## xdm over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_dbus_chat_xdm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dbus_chat_xdm'($*)) dnl - - gen_require(` - type xdm_t; - class dbus send_msg; - ') - - allow $1 xdm_t:dbus send_msg; - allow xdm_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dbus_chat_xdm'($*)) dnl - ') - - -######################################## -## -## Read xdm process state files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_xdm_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_state'($*)) dnl - - gen_require(` - type xdm_t; - ') - - kernel_search_proc($1) - allow $1 xdm_t:dir list_dir_perms; - allow $1 xdm_t:file read_file_perms; - allow $1 xdm_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_xdm_state'($*)) dnl - ') - - -######################################## -## -## Set the priority of the X Display -## Manager (XDM). -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_setsched_xdm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_setsched_xdm'($*)) dnl - - gen_require(` - type xdm_t; - ') - - allow $1 xdm_t:process setsched; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_setsched_xdm'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## xdm_spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_manage_xdm_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_spool_files'($*)) dnl - - refpolicywarn(`$0() has been deprecated.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_spool_files'($*)) dnl - ') - - -######################################## -## -## Connect to XDM over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_stream_connect_xdm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_stream_connect_xdm'($*)) dnl - - gen_require(` - type xdm_t, xdm_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_stream_connect_xdm'($*)) dnl - ') - - -######################################## -## -## Read xdm-writable configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_xdm_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_rw_config'($*)) dnl - - gen_require(` - type xdm_rw_etc_t; - ') - - files_search_etc($1) - allow $1 xdm_rw_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_xdm_rw_config'($*)) dnl - ') - - -######################################## -## -## Set the attributes of XDM temporary directories. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_setattr_xdm_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_setattr_xdm_tmp_dirs'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_setattr_xdm_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Create a named socket in a XDM -## temporary directory. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_create_xdm_tmp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_create_xdm_tmp_sockets'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - files_search_tmp($1) - allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_create_xdm_tmp_sockets'($*)) dnl - ') - - -######################################## -## -## Delete a named socket in a XDM -## temporary directory. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_delete_xdm_tmp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_delete_xdm_tmp_sockets'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - files_search_tmp($1) - delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_delete_xdm_tmp_sockets'($*)) dnl - ') - - -######################################## -## -## Read XDM pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_xdm_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_pid'($*)) dnl - - gen_require(` - type xdm_var_run_t; - ') - - files_search_pids($1) - allow $1 xdm_var_run_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_xdm_pid'($*)) dnl - ') - - -######################################## -## -## Read XDM var lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_xdm_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_lib_files'($*)) dnl - - gen_require(` - type xdm_var_lib_t; - ') - - allow $1 xdm_var_lib_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_xdm_lib_files'($*)) dnl - ') - - -######################################## -## -## Make an X session script an entrypoint for the specified domain. -## -## -## -## The domain for which the shell is an entrypoint. -## -## -# - define(`xserver_xsession_entry_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_xsession_entry_type'($*)) dnl - - gen_require(` - type xsession_exec_t; - ') - - domain_entry_file($1, xsession_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_xsession_entry_type'($*)) dnl - ') - - -######################################## -## -## Execute an X session in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -##

-## Execute an Xsession in the target domain. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the shell process. -## -## -# - define(`xserver_xsession_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_xsession_spec_domtrans'($*)) dnl - - gen_require(` - type xsession_exec_t; - ') - - domain_transition_pattern($1, xsession_exec_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_xsession_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Write to inherited xsession log -## files such as .xsession-errors. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_write_inherited_xsession_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_write_inherited_xsession_log'($*)) dnl - - gen_require(` - type xsession_log_t; - ') - - allow $1 xsession_log_t:file write_inherited_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_write_inherited_xsession_log'($*)) dnl - ') - - - -######################################## -## -## Read and write xsession log -## files such as .xsession-errors. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_rw_xsession_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_rw_xsession_log'($*)) dnl - - gen_require(` - type xsession_log_t; - ') - - allow $1 xsession_log_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_rw_xsession_log'($*)) dnl - ') - - -######################################## -## -## Manage xsession log files such -## as .xsession-errors. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_manage_xsession_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_manage_xsession_log'($*)) dnl - - gen_require(` - type xsession_log_t; - ') - - allow $1 xsession_log_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_manage_xsession_log'($*)) dnl - ') - - -######################################## -## -## Write to inherited X server log -## files like /var/log/lightdm/lightdm.log -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_write_inherited_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_write_inherited_log'($*)) dnl - - gen_require(` - type xserver_log_t; - ') - - allow $1 xserver_log_t:file write_inherited_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_write_inherited_log'($*)) dnl - ') - - -######################################## -## -## Get the attributes of X server logs. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_getattr_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_getattr_log'($*)) dnl - - gen_require(` - type xserver_log_t; - ') - - logging_search_logs($1) - allow $1 xserver_log_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_getattr_log'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write the X server -## log files. -## -## -## -## Domain to not audit. -## -## -# - define(`xserver_dontaudit_write_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_write_log'($*)) dnl - - gen_require(` - type xserver_log_t; - ') - - dontaudit $1 xserver_log_t:file { append ioctl write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dontaudit_write_log'($*)) dnl - ') - - -######################################## -## -## Delete X server log files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_delete_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_delete_log'($*)) dnl - - gen_require(` - type xserver_log_t; - ') - - logging_search_logs($1) - allow $1 xserver_log_t:dir list_dir_perms; - delete_files_pattern($1, xserver_log_t, xserver_log_t) - delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_delete_log'($*)) dnl - ') - - -######################################## -## -## Read X keyboard extension libraries. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_xkb_libs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_xkb_libs'($*)) dnl - - gen_require(` - type xkb_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 xkb_var_lib_t:dir list_dir_perms; - read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) - read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_xkb_libs'($*)) dnl - ') - - -######################################## -## -## Create xdm temporary directories. -## -## -## -## Domain to allow access. -## -## -# - define(`xserver_create_xdm_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_create_xdm_tmp_dirs'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir create; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_create_xdm_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Read xdm temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_xdm_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_tmp_files'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_xdm_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read xdm temporary files. -## -## -## -## Domain to not audit. -## -## -# - define(`xserver_dontaudit_read_xdm_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_read_xdm_tmp_files'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - dontaudit $1 xdm_tmp_t:dir search_dir_perms; - dontaudit $1 xdm_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dontaudit_read_xdm_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read write xdm temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_rw_xdm_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_tmp_files'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_tmp_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete xdm temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_manage_xdm_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_tmp_files'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of -## xdm temporary named sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`xserver_dontaudit_getattr_xdm_tmp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_getattr_xdm_tmp_sockets'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - dontaudit $1 xdm_tmp_t:sock_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dontaudit_getattr_xdm_tmp_sockets'($*)) dnl - ') - - -######################################## -## -## list xdm_tmp_t directories -## -## -## -## Domain to allow -## -## -# - define(`xserver_list_xdm_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_list_xdm_tmp'($*)) dnl - - gen_require(` - type xdm_tmp_t; - ') - - allow $1 xdm_tmp_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_list_xdm_tmp'($*)) dnl - ') - - -######################################## -## -## Execute the X server in the X server domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`xserver_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_domtrans'($*)) dnl - - gen_require(` - type xserver_t, xserver_exec_t; - ') - - allow $1 xserver_t:process siginh; - domtrans_pattern($1, xserver_exec_t, xserver_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_domtrans'($*)) dnl - ') - - -######################################## -## -## Signal X servers -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_signal'($*)) dnl - - gen_require(` - type xserver_t; - ') - - allow $1 xserver_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_signal'($*)) dnl - ') - - -######################################## -## -## Kill X servers -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_kill'($*)) dnl - - gen_require(` - type xserver_t; - ') - - allow $1 xserver_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_kill'($*)) dnl - ') - - -######################################## -## -## Allow reading xserver_t files to get cgroup and sessionid -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_state'($*)) dnl - - gen_require(` - type xserver_t; - ') - - allow $1 xserver_t:dir search; - allow $1 xserver_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_state'($*)) dnl - ') - - -######################################## -## -## Read and write X server Sys V Shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_rw_shm'($*)) dnl - - gen_require(` - type xserver_t; - ') - - allow $1 xserver_t:shm rw_shm_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_rw_shm'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write to -## X server sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`xserver_dontaudit_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_tcp_sockets'($*)) dnl - - gen_require(` - type xserver_t; - ') - - dontaudit $1 xserver_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write X server -## unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`xserver_dontaudit_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_stream_sockets'($*)) dnl - - gen_require(` - type xserver_t; - ') - - dontaudit $1 xserver_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Connect to the X server over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_stream_connect'($*)) dnl - - gen_require(` - type xserver_t, xserver_tmp_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_stream_connect'($*)) dnl - ') - - -######################################## -## -## Read X server temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_read_tmp_files'($*)) dnl - - gen_require(` - type xserver_tmp_t; - ') - - allow $1 xserver_tmp_t:file read_file_perms; - files_search_tmp($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## talk to xserver_t by dbus -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_dbus_chat'($*)) dnl - - gen_require(` - type xserver_t; - ') - - allow $1 xserver_t:dbus send_msg; - allow xserver_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Interface to provide X object permissions on a given X server to -## an X client domain. Gives the domain permission to read the -## virtual core keyboard and virtual core pointer devices. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_manage_core_devices',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_manage_core_devices'($*)) dnl - - gen_require(` - type xserver_t; - class x_device all_x_device_perms; - class x_pointer all_x_pointer_perms; - class x_keyboard all_x_keyboard_perms; - ') - - allow $1 xserver_t:{ x_device x_pointer x_keyboard } { getattr setattr use read write getfocus setfocus bell force_cursor freeze grab manage list_property get_property set_property add remove create destroy }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_manage_core_devices'($*)) dnl - ') - - -######################################## -## -## Interface to provide X object permissions on a given X server to -## an X client domain. Gives the domain complete control over the -## display. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_unconfined'($*)) dnl - - gen_require(` - attribute x_domain; - attribute xserver_unconfined_type; - ') - - typeattribute $1 x_domain; - typeattribute $1 xserver_unconfined_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_unconfined'($*)) dnl - ') - - -######################################## -## -## Manage keys for xdm. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_rw_xdm_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_keys'($*)) dnl - - gen_require(` - type xdm_t; - ') - - allow $1 xdm_t:key { read write setattr }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_keys'($*)) dnl - ') - - -######################################## -## -## Manage keys for xdm. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_link_xdm_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_link_xdm_keys'($*)) dnl - - gen_require(` - type xdm_t; - ') - - allow $1 xdm_t:key link; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_link_xdm_keys'($*)) dnl - ') - - -######################################## -## -## Read and write the mesa shader cache. -## -## -## -## Domain allowed access. -## -## -# - define(`xserver_rw_mesa_shader_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xserver_rw_mesa_shader_cache'($*)) dnl - - gen_require(` - type mesa_shader_cache_t; - ') - - rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) - rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) - allow $1 mesa_shader_cache_t:file map; - - xdg_search_cache_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xserver_rw_mesa_shader_cache'($*)) dnl - ') - -## Postfix email server. - -######################################## -## -## Postfix stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_stub'($*)) dnl - - gen_require(` - type postfix_master_t; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_stub'($*)) dnl - ') - - -####################################### -## -## The template to define a postfix domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`postfix_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_domain_template'($*)) dnl - - gen_require(` - attribute postfix_domain; - ') - - ######################################## - # - # Declarations - # - - type postfix_$1_t, postfix_domain; - type postfix_$1_exec_t; - domain_type(postfix_$1_t) - domain_entry_file(postfix_$1_t, postfix_$1_exec_t) - role system_r types postfix_$1_t; - - ######################################## - # - # Policy - # - - can_exec(postfix_$1_t, postfix_$1_exec_t) - - auth_use_nsswitch(postfix_$1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_domain_template'($*)) dnl - ') - - -####################################### -## -## The template to define a postfix server domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`postfix_server_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_server_domain_template'($*)) dnl - - gen_require(` - type postfix_master_t; - attribute postfix_server_domain, postfix_server_tmp_content; - ') - - ######################################## - # - # Declarations - # - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_server_domain; - - type postfix_$1_tmp_t, postfix_server_tmp_content; - files_tmp_file(postfix_$1_tmp_t) - - ######################################## - # - # Declarations - # - - manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) - - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_server_domain_template'($*)) dnl - ') - - -####################################### -## -## The template to define a postfix user domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`postfix_user_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_user_domain_template'($*)) dnl - - gen_require(` - attribute postfix_user_domains, postfix_user_domtrans; - ') - - ######################################## - # - # Declarations - # - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_user_domains; - - ######################################## - # - # Policy - # - - allow postfix_$1_t self:capability dac_override; - - domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) - - domain_use_interactive_fds(postfix_$1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_user_domain_template'($*)) dnl - ') - - -######################################## -## -## Read postfix configuration content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`postfix_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_read_config'($*)) dnl - - gen_require(` - type postfix_etc_t; - ') - - files_search_etc($1) - allow $1 postfix_etc_t:dir list_dir_perms; - allow $1 postfix_etc_t:file read_file_perms; - allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_read_config'($*)) dnl - ') - - -######################################## -## -## Create specified object in postfix -## etc directories with a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`postfix_config_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_config_filetrans'($*)) dnl - - gen_require(` - type postfix_etc_t; - ') - - filetrans_pattern($1, postfix_etc_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_config_filetrans'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write postfix local delivery -## TCP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`postfix_dontaudit_rw_local_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_dontaudit_rw_local_tcp_sockets'($*)) dnl - - gen_require(` - type postfix_local_t; - ') - - dontaudit $1 postfix_local_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_dontaudit_rw_local_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write postfix local pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_rw_local_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_rw_local_pipes'($*)) dnl - - gen_require(` - type postfix_local_t; - ') - - allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_rw_local_pipes'($*)) dnl - ') - - -######################################## -## -## Read postfix local process state files. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_read_local_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_read_local_state'($*)) dnl - - gen_require(` - type postfix_local_t; - ') - - kernel_search_proc($1) - allow $1 postfix_local_t:dir list_dir_perms; - allow $1 postfix_local_t:file read_file_perms; - allow $1 postfix_local_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_read_local_state'($*)) dnl - ') - - -######################################## -## -## Read and write inherited postfix master pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_rw_inherited_master_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_rw_inherited_master_pipes'($*)) dnl - - gen_require(` - type postfix_master_t; - ') - - allow $1 postfix_master_t:fd use; - allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_rw_inherited_master_pipes'($*)) dnl - ') - - -######################################## -## -## Read postfix master process state files. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_read_master_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_read_master_state'($*)) dnl - - gen_require(` - type postfix_master_t; - ') - - kernel_search_proc($1) - allow $1 postfix_master_t:dir list_dir_perms; - allow $1 postfix_master_t:file read_file_perms; - allow $1 postfix_master_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_read_master_state'($*)) dnl - ') - - -######################################## -## -## Use postfix master file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_use_fds_master',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_use_fds_master'($*)) dnl - - gen_require(` - type postfix_master_t; - ') - - allow $1 postfix_master_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_use_fds_master'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use -## postfix master process file -## file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`postfix_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_dontaudit_use_fds'($*)) dnl - - gen_require(` - type postfix_master_t; - ') - - dontaudit $1 postfix_master_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Execute postfix_map in the postfix_map domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`postfix_domtrans_map',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_domtrans_map'($*)) dnl - - gen_require(` - type postfix_map_t, postfix_map_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_domtrans_map'($*)) dnl - ') - - -######################################## -## -## Execute postfix map in the postfix -## map domain, and allow the specified -## role the postfix_map domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`postfix_run_map',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_run_map'($*)) dnl - - gen_require(` - attribute_role postfix_map_roles; - ') - - postfix_domtrans_map($1) - roleattribute $2 postfix_map_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_run_map'($*)) dnl - ') - - -######################################## -## -## Execute the master postfix program -## in the postfix_master domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`postfix_domtrans_master',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_domtrans_master'($*)) dnl - - gen_require(` - type postfix_master_t, postfix_master_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_domtrans_master'($*)) dnl - ') - - -######################################## -## -## Execute the master postfix program -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_exec_master',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_exec_master'($*)) dnl - - gen_require(` - type postfix_master_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, postfix_master_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_exec_master'($*)) dnl - ') - - -####################################### -## -## Connect to postfix master process -## using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -## -# - define(`postfix_stream_connect_master',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_stream_connect_master'($*)) dnl - - gen_require(` - type postfix_master_t, postfix_public_t; - ') - - stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_stream_connect_master'($*)) dnl - ') - - -######################################## -## -## Execute the master postdrop in the -## postfix postdrop domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`postfix_domtrans_postdrop',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postdrop'($*)) dnl - - gen_require(` - type postfix_postdrop_t, postfix_postdrop_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_domtrans_postdrop'($*)) dnl - ') - - -######################################## -## -## Execute the master postqueue in the -## postfix postqueue domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`postfix_domtrans_postqueue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postqueue'($*)) dnl - - gen_require(` - type postfix_postqueue_t, postfix_postqueue_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_domtrans_postqueue'($*)) dnl - ') - - -####################################### -## -## Execute postfix postqueue in -## the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_exec_postqueue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_exec_postqueue'($*)) dnl - - gen_require(` - type postfix_postqueue_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, postfix_postqueue_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_exec_postqueue'($*)) dnl - ') - - -######################################## -## -## Create postfix private sock files. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_create_private_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_create_private_sockets'($*)) dnl - - gen_require(` - type postfix_private_t; - ') - - create_sock_files_pattern($1, postfix_private_t, postfix_private_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_create_private_sockets'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## postfix private sock files. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_manage_private_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_manage_private_sockets'($*)) dnl - - gen_require(` - type postfix_private_t; - ') - - manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_manage_private_sockets'($*)) dnl - ') - - -######################################## -## -## Execute the smtp postfix program -## in the postfix smtp domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`postfix_domtrans_smtp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_domtrans_smtp'($*)) dnl - - gen_require(` - type postfix_smtp_t, postfix_smtp_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_domtrans_smtp'($*)) dnl - ') - - -######################################## -## -## Get attributes of all postfix mail -## spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_getattr_all_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_getattr_all_spool_files'($*)) dnl - - gen_require(` - attribute postfix_spool_type; - ') - - files_search_spool($1) - getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_getattr_all_spool_files'($*)) dnl - ') - - -######################################## -## -## Search postfix mail spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_search_spool'($*)) dnl - - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - allow $1 postfix_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_search_spool'($*)) dnl - ') - - -######################################## -## -## List postfix mail spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_list_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_list_spool'($*)) dnl - - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - allow $1 postfix_spool_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_list_spool'($*)) dnl - ') - - -######################################## -## -## Read postfix mail spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_read_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_read_spool_files'($*)) dnl - - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, postfix_spool_t, postfix_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_read_spool_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## postfix mail spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_manage_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_manage_spool_files'($*)) dnl - - gen_require(` - type postfix_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, postfix_spool_t, postfix_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_manage_spool_files'($*)) dnl - ') - - -######################################## -## -## Execute postfix user mail programs -## in their respective domains. -## -## -## -## Domain allowed access. -## -## -# - define(`postfix_domtrans_user_mail_handler',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_domtrans_user_mail_handler'($*)) dnl - - gen_require(` - attribute postfix_user_domtrans; - ') - - typeattribute $1 postfix_user_domtrans; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_domtrans_user_mail_handler'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an postfix environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`postfix_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfix_admin'($*)) dnl - - gen_require(` - attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; - type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; - type postfix_data_t, postfix_runtime_t, postfix_public_t; - type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; - type postfix_keytab_t, postfix_t; - ') - - allow $1 postfix_domain:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_domain) - - init_startstop_service($1, $2, postfix_t, postfix_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t }) - - files_search_spool($1) - admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type }) - - files_search_var_lib($1) - admin_pattern($1, postfix_data_t) - - files_search_pids($1) - admin_pattern($1, postfix_runtime_t) - - files_search_tmp($1) - admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) - - postfix_exec_master($1) - postfix_exec_postqueue($1) - postfix_stream_connect_master($1) - postfix_run_map($1, $2) - - ifdef(`distro_gentoo',` - gen_require(` - type postfix_showq_exec_t; - type postfix_master_exec_t; - type postfix_postqueue_t; - ') - - allow postfix_postqueue_t $1:process sigchld; - - can_exec($1, postfix_showq_exec_t) - - # Postfix admin must be able to execute postfix main (for instance for "postfix reload") - can_exec($1, postfix_master_exec_t) - - # Allow postfix admin to send message to log files, needed during operations like "postfix reload" - logging_send_syslog_msg($1) - - # Reloading the system through postfix reload needs a few permissions - # "postfix: fatal: socket: Permission denied" - allow $1 self:tcp_socket create_stream_socket_perms; - # "postfix: fatal: inet_addr_local[getifaddrs]: getifaddrs: Permission denied" - allow $1 self:netlink_route_socket r_netlink_socket_perms; - # "postsuper: fatal: setuid(207): Operation not permitted" - allow $1 self:capability { setuid setgid }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfix_admin'($*)) dnl - ') - -## Postfix grey-listing server. - -######################################## -## -## Connect to postgrey using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`postgrey_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgrey_stream_connect'($*)) dnl - - gen_require(` - type postgrey_runtime_t, postgrey_t, postgrey_spool_t; - ') - - files_search_pids($1) - files_search_spool($1) - stream_connect_pattern($1, { postgrey_spool_t postgrey_runtime_t }, { postgrey_spool_t postgrey_runtime_t }, postgrey_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgrey_stream_connect'($*)) dnl - ') - - -######################################## -## -## Search spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`postgrey_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgrey_search_spool'($*)) dnl - - gen_require(` - type postgrey_spool_t; - ') - - files_search_spool($1) - allow $1 postgrey_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgrey_search_spool'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an postgrey environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`postgrey_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postgrey_admin'($*)) dnl - - gen_require(` - type postgrey_t, postgrey_etc_t, postgrey_spool_t; - type postgrey_var_lib_t, postgrey_runtime_t; - type postgrey_initrc_exec_t; - ') - - allow $1 postgrey_t:process { ptrace signal_perms }; - ps_process_pattern($1, postgrey_t) - - init_startstop_service($1, $2, postgrey_t, postgrey_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, postgrey_etc_t) - - files_list_var_lib($1) - admin_pattern($1, postgrey_var_lib_t) - - files_list_spool($1) - admin_pattern($1, postgrey_spool_t) - - files_list_pids($1) - admin_pattern($1, postgrey_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postgrey_admin'($*)) dnl - ') - -## Tools to send and receive short messages through GSM modems or mobile phones. - -######################################## -## -## All of the rules required to -## administrate an smstools environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`smstools_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `smstools_admin'($*)) dnl - - gen_require(` - type smsd_t, smsd_initrc_exec_t, smsd_conf_t; - type smsd_log_t, smsd_var_lib_t, smsd_runtime_t; - type smsd_spool_t; - ') - - allow $1 smsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, smsd_t) - - init_startstop_service($1, $2, smsd_t, smsd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, smsd_conf_t) - - files_search_var_lib($1) - admin_pattern($1, smsd_var_lib_t) - - files_search_spool($1) - admin_pattern($1, smsd_spool_t) - - files_search_pids($1) - admin_pattern($1, smsd_runtime_t) - - logging_search_logs($1) - admin_pattern($1, smsd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `smstools_admin'($*)) dnl - ') - -## The Open Group Pegasus CIM/WBEM Server. - -######################################## -## -## All of the rules required to -## administrate an pegasus environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pegasus_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pegasus_admin'($*)) dnl - - gen_require(` - type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; - type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; - type pegasus_mof_t, pegasus_runtime_t; - ') - - allow $1 pegasus_t:process { ptrace signal_perms }; - ps_process_pattern($1, pegasus_t) - - init_startstop_service($1, $2, pegasus_t, pegasus_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, pegasus_conf_t) - - files_search_usr($1) - admin_pattern($1, pegasus_mof_t) - - files_search_tmp($1) - admin_pattern($1, pegasus_tmp_t) - - files_search_var($1) - admin_pattern($1, pegasus_cache_t) - - files_search_var_lib($1) - admin_pattern($1, pegasus_data_t) - - files_search_pids($1) - admin_pattern($1, pegasus_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pegasus_admin'($*)) dnl - ') - -## Geoclue is a D-Bus service that provides location information. -## Libvirt virtualization API. - -####################################### -## -## The template to define a virt domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`virt_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_domain_template'($*)) dnl - - gen_require(` - attribute_role virt_domain_roles; - attribute virt_image_type, virt_domain, virt_tmpfs_type; - attribute virt_ptynode, virt_tmp_type; - ') - - ######################################## - # - # Declarations - # - - type $1_t, virt_domain; - application_type($1_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_constrained($1_t) - role virt_domain_roles types $1_t; - - type $1_devpts_t, virt_ptynode; - term_pty($1_devpts_t) - - type $1_tmp_t, virt_tmp_type; - files_tmp_file($1_tmp_t) - - type $1_tmpfs_t, virt_tmpfs_type; - files_tmpfs_file($1_tmpfs_t) - - optional_policy(` - pulseaudio_tmpfs_content($1_tmpfs_t) - ') - - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) - dev_associate_sysfs($1_image_t) - - ifdef(`distro_gentoo',` - optional_policy(` - qemu_entry_type($1_t) - ') - ') - - ######################################## - # - # Policy - # - - allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; - term_create_pty($1_t, $1_devpts_t) - - manage_dirs_pattern($1_t, $1_image_t, $1_image_t) - manage_files_pattern($1_t, $1_image_t, $1_image_t) - manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) - read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) - manage_sock_files_pattern($1_t, $1_image_t, $1_image_t) - rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) - rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) - fs_hugetlbfs_filetrans($1_t, $1_image_t, file) - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - - optional_policy(` - pulseaudio_run($1_t, virt_domain_roles) - ') - - optional_policy(` - xserver_rw_shm($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_domain_template'($*)) dnl - ') - - -####################################### -## -## The template to define a virt lxc domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`virt_lxc_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_lxc_domain_template'($*)) dnl - - gen_require(` - attribute_role svirt_lxc_domain_roles; - attribute svirt_lxc_domain; - ') - - type $1_t, svirt_lxc_domain; - domain_type($1_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_constrained($1_t) - role svirt_lxc_domain_roles types $1_t; - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_lxc_domain_template'($*)) dnl - ') - - -######################################## -## -## Make the specified type virt image type. -## -## -## -## Type to be used as a virtual image. -## -## -# - define(`virt_image',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_image'($*)) dnl - - gen_require(` - attribute virt_image_type; - ') - - typeattribute $1 virt_image_type; - files_type($1) - dev_node($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_image'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run virtd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`virt_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_domtrans'($*)) dnl - - gen_require(` - type virtd_t, virtd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virtd_exec_t, virtd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run virt qmf. -## -## -## -## Domain allowed to transition. -## -## -# - define(`virt_domtrans_qmf',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_domtrans_qmf'($*)) dnl - - gen_require(` - type virt_qmf_t, virt_qmf_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_domtrans_qmf'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run virt bridgehelper. -## -## -## -## Domain allowed to transition. -## -## -# - define(`virt_domtrans_bridgehelper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_domtrans_bridgehelper'($*)) dnl - - gen_require(` - type virt_bridgehelper_t, virt_bridgehelper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_domtrans_bridgehelper'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run virt leaseshelper. -## -## -## -## Domain allowed to transition. -## -## -# - define(`virt_domtrans_leaseshelper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_domtrans_leaseshelper'($*)) dnl - - gen_require(` - type virt_leaseshelper_t, virt_leaseshelper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virt_leaseshelper_exec_t, virt_leaseshelper_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_domtrans_leaseshelper'($*)) dnl - ') - - -######################################## -## -## Execute bridgehelper in the bridgehelper -## domain, and allow the specified role -## the bridgehelper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`virt_run_bridgehelper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_run_bridgehelper'($*)) dnl - - gen_require(` - attribute_role virt_bridgehelper_roles; - ') - - virt_domtrans_bridgehelper($1) - roleattribute $2 virt_bridgehelper_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_run_bridgehelper'($*)) dnl - ') - - -######################################## -## -## Execute virt domain in the their -## domain, and allow the specified -## role that virt domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`virt_run_virt_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_run_virt_domain'($*)) dnl - - gen_require(` - attribute virt_domain; - attribute_role virt_domain_roles; - ') - - allow $1 virt_domain:process { signal transition }; - roleattribute $2 virt_domain_roles; - - allow virt_domain $1:fd use; - allow virt_domain $1:fifo_file rw_fifo_file_perms; - allow virt_domain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_run_virt_domain'($*)) dnl - ') - - -######################################## -## -## Send generic signals to all virt domains. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_signal_all_virt_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_signal_all_virt_domains'($*)) dnl - - gen_require(` - attribute virt_domain; - ') - - allow $1 virt_domain:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_signal_all_virt_domains'($*)) dnl - ') - - -######################################## -## -## Send kill signals to all virt domains. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_kill_all_virt_domains',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_kill_all_virt_domains'($*)) dnl - - gen_require(` - attribute virt_domain; - ') - - allow $1 virt_domain:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_kill_all_virt_domains'($*)) dnl - ') - - -######################################## -## -## Execute svirt lxc domains in their -## domain, and allow the specified -## role that svirt lxc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`virt_run_svirt_lxc_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_run_svirt_lxc_domain'($*)) dnl - - gen_require(` - attribute svirt_lxc_domain; - attribute_role svirt_lxc_domain_roles; - ') - - allow $1 svirt_lxc_domain:process { signal transition }; - roleattribute $2 svirt_lxc_domain_roles; - - allow svirt_lxc_domain $1:fd use; - allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; - allow svirt_lxc_domain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_run_svirt_lxc_domain'($*)) dnl - ') - - -####################################### -## -## Get attributes of virtd executable files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_getattr_virtd_exec_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_getattr_virtd_exec_files'($*)) dnl - - gen_require(` - type virtd_exec_t; - ') - - allow $1 virtd_exec_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_getattr_virtd_exec_files'($*)) dnl - ') - - -####################################### -## -## Connect to virt with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_stream_connect'($*)) dnl - - gen_require(` - type virtd_t, virt_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, virt_runtime_t, virt_runtime_t, virtd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_stream_connect'($*)) dnl - ') - - -######################################## -## -## Attach to virt tun devices. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_attach_tun_iface',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_attach_tun_iface'($*)) dnl - - gen_require(` - type virtd_t; - ') - - allow $1 virtd_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_attach_tun_iface'($*)) dnl - ') - - -######################################## -## -## Read virt configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_read_config'($*)) dnl - - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; - read_files_pattern($1, virt_etc_t, virt_etc_t) - read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_read_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_config'($*)) dnl - - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; - manage_files_pattern($1, virt_etc_t, virt_etc_t) - manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_config'($*)) dnl - ') - - -######################################## -## -## Read virt content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_read_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_read_content'($*)) dnl - - gen_require(` - type virt_content_t; - ') - - virt_search_lib($1) - allow $1 virt_content_t:dir list_dir_perms; - list_dirs_pattern($1, virt_content_t, virt_content_t) - read_files_pattern($1, virt_content_t, virt_content_t) - read_lnk_files_pattern($1, virt_content_t, virt_content_t) - read_blk_files_pattern($1, virt_content_t, virt_content_t) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_read_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_virt_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_virt_content'($*)) dnl - - gen_require(` - type virt_content_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_content_t:dir manage_dir_perms; - allow $1 virt_content_t:file manage_file_perms; - allow $1 virt_content_t:fifo_file manage_fifo_file_perms; - allow $1 virt_content_t:lnk_file manage_lnk_file_perms; - allow $1 virt_content_t:sock_file manage_sock_file_perms; - allow $1 virt_content_t:blk_file manage_blk_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_virt_content'($*)) dnl - ') - - -######################################## -## -## Relabel virt content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_relabel_virt_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_relabel_virt_content'($*)) dnl - - gen_require(` - type virt_content_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_content_t:dir relabel_dir_perms; - allow $1 virt_content_t:file relabel_file_perms; - allow $1 virt_content_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_content_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_content_t:sock_file relabel_sock_file_perms; - allow $1 virt_content_t:blk_file relabel_blk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_relabel_virt_content'($*)) dnl - ') - - -######################################## -## -## Create specified objects in user home -## directories with the virt content type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`virt_home_filetrans_virt_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_home_filetrans_virt_content'($*)) dnl - - gen_require(` - type virt_content_t; - ') - - virt_home_filetrans($1, virt_content_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_home_filetrans_virt_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## svirt home content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_svirt_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_svirt_home_content'($*)) dnl - - gen_require(` - type svirt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 svirt_home_t:dir manage_dir_perms; - allow $1 svirt_home_t:file manage_file_perms; - allow $1 svirt_home_t:fifo_file manage_fifo_file_perms; - allow $1 svirt_home_t:lnk_file manage_lnk_file_perms; - allow $1 svirt_home_t:sock_file manage_sock_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_svirt_home_content'($*)) dnl - ') - - -######################################## -## -## Relabel svirt home content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_relabel_svirt_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_relabel_svirt_home_content'($*)) dnl - - gen_require(` - type svirt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 svirt_home_t:dir relabel_dir_perms; - allow $1 svirt_home_t:file relabel_file_perms; - allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 svirt_home_t:sock_file relabel_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_relabel_svirt_home_content'($*)) dnl - ') - - -######################################## -## -## Create specified objects in user home -## directories with the svirt home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`virt_home_filetrans_svirt_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_home_filetrans_svirt_home'($*)) dnl - - gen_require(` - type svirt_home_t; - ') - - virt_home_filetrans($1, svirt_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_home_filetrans_svirt_home'($*)) dnl - ') - - -######################################## -## -## Create specified objects in generic -## virt home directories with private -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`virt_home_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_home_filetrans'($*)) dnl - - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, virt_home_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_home_filetrans'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt home files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_home_files'($*)) dnl - - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - manage_files_pattern($1, virt_home_t, virt_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_home_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt home content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_generic_virt_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_generic_virt_home_content'($*)) dnl - - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_home_t:dir manage_dir_perms; - allow $1 virt_home_t:file manage_file_perms; - allow $1 virt_home_t:fifo_file manage_fifo_file_perms; - allow $1 virt_home_t:lnk_file manage_lnk_file_perms; - allow $1 virt_home_t:sock_file manage_sock_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_generic_virt_home_content'($*)) dnl - ') - - -######################################## -## -## Relabel virt home content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_relabel_generic_virt_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_relabel_generic_virt_home_content'($*)) dnl - - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_home_t:dir relabel_dir_perms; - allow $1 virt_home_t:file relabel_file_perms; - allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_home_t:sock_file relabel_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_relabel_generic_virt_home_content'($*)) dnl - ') - - -######################################## -## -## Create specified objects in user home -## directories with the generic virt -## home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`virt_home_filetrans_virt_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_home_filetrans_virt_home'($*)) dnl - - gen_require(` - type virt_home_t; - ') - - userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_home_filetrans_virt_home'($*)) dnl - ') - - -######################################## -## -## Read virt pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_read_pid_files'($*)) dnl - - gen_require(` - type virt_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, virt_runtime_t, virt_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_pid_files'($*)) dnl - - gen_require(` - type virt_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, virt_runtime_t, virt_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Search virt lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_search_lib'($*)) dnl - - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 virt_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_search_lib'($*)) dnl - ') - - -######################################## -## -## Read virt lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_read_lib_files'($*)) dnl - - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_lib_files'($*)) dnl - - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Create objects in virt pid -## directories with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -## -# - define(`virt_pid_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_pid_filetrans'($*)) dnl - - gen_require(` - type virt_runtime_t; - ') - - files_search_pids($1) - filetrans_pattern($1, virt_runtime_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_pid_filetrans'($*)) dnl - ') - - -######################################## -## -## Read virt log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`virt_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_read_log'($*)) dnl - - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, virt_log_t, virt_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_read_log'($*)) dnl - ') - - -######################################## -## -## Append virt log files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_append_log'($*)) dnl - - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt log files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_log'($*)) dnl - - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_log'($*)) dnl - ') - - -######################################## -## -## Search virt image directories. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_search_images',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_search_images'($*)) dnl - - gen_require(` - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_search_images'($*)) dnl - ') - - -######################################## -## -## Read virt image files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_read_images',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_read_images'($*)) dnl - - gen_require(` - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - list_dirs_pattern($1, virt_image_type, virt_image_type) - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_read_images'($*)) dnl - ') - - -######################################## -## -## Read and write all virt image -## character files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_rw_all_image_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_rw_all_image_chr_files'($*)) dnl - - gen_require(` - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_rw_all_image_chr_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_virt_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_virt_cache'($*)) dnl - - gen_require(` - type virt_cache_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, virt_cache_t, virt_cache_t) - manage_files_pattern($1, virt_cache_t, virt_cache_t) - manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_virt_cache'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## virt image files. -## -## -## -## Domain allowed access. -## -## -# - define(`virt_manage_images',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_manage_images'($*)) dnl - - gen_require(` - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) - fs_read_cifs_symlinks($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_manage_images'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an virt environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`virt_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `virt_admin'($*)) dnl - - gen_require(` - attribute virt_domain, virt_image_type, virt_tmpfs_type; - attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; - type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; - type virsh_t, virtd_lxc_runtime_t, svirt_lxc_file_t; - type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; - type virt_runtime_t, virt_tmp_t, virt_log_t; - type virt_lock_t, svirt_runtime_t, virt_etc_rw_t; - type virt_etc_t, svirt_cache_t, virtd_keytab_t; - ') - - allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; - allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) - ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) - - init_startstop_service($1, $2, virtd_t, virtd_initrc_exec_t) - - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) - - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) - - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) - - logging_search_logs($1) - admin_pattern($1, virt_log_t) - - files_search_pids($1) - admin_pattern($1, { virt_runtime_t virtd_lxc_runtime_t svirt_runtime_t }) - - files_search_var($1) - admin_pattern($1, svirt_cache_t) - - files_search_var_lib($1) - admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) - - files_search_locks($1) - admin_pattern($1, virt_lock_t) - - dev_list_all_dev_nodes($1) - allow $1 virt_ptynode:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `virt_admin'($*)) dnl - ') - -## Intrusion Detection and Log Analysis with iptables. - -######################################## -## -## Execute a domain transition to run psad. -## -## -## -## Domain allowed to transition. -## -## -# - define(`psad_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_domtrans'($*)) dnl - - gen_require(` - type psad_t, psad_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, psad_exec_t, psad_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_domtrans'($*)) dnl - ') - - -######################################## -## -## Send generic signals to psad. -## -## -## -## Domain allowed access. -## -## -# - define(`psad_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_signal'($*)) dnl - - gen_require(` - type psad_t; - ') - - allow $1 psad_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_signal'($*)) dnl - ') - - -####################################### -## -## Send null signals to psad. -## -## -## -## Domain allowed access. -## -## -# - define(`psad_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_signull'($*)) dnl - - gen_require(` - type psad_t; - ') - - allow $1 psad_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_signull'($*)) dnl - ') - - -######################################## -## -## Read psad configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`psad_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_read_config'($*)) dnl - - gen_require(` - type psad_etc_t; - ') - - files_search_etc($1) - allow $1 psad_etc_t:dir list_dir_perms; - allow $1 psad_etc_t:file read_file_perms; - allow $1 psad_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_read_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## psad configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`psad_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_manage_config'($*)) dnl - - gen_require(` - type psad_etc_t; - ') - - files_search_etc($1) - allow $1 psad_etc_t:dir manage_dir_perms; - allow $1 psad_etc_t:file manage_file_perms; - allow $1 psad_etc_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_manage_config'($*)) dnl - ') - - -######################################## -## -## Read psad pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`psad_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_read_pid_files'($*)) dnl - - gen_require(` - type psad_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, psad_runtime_t, psad_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Read and write psad pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`psad_rw_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_rw_pid_files'($*)) dnl - - gen_require(` - type psad_runtime_t; - ') - - files_search_pids($1) - rw_files_pattern($1, psad_runtime_t, psad_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_rw_pid_files'($*)) dnl - ') - - -######################################## -## -## Read psad log content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`psad_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_read_log'($*)) dnl - - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - allow $1 psad_var_log_t:dir list_dir_perms; - allow $1 psad_var_log_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_read_log'($*)) dnl - ') - - -######################################## -## -## Append psad log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`psad_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_append_log'($*)) dnl - - gen_require(` - type psad_var_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, psad_var_log_t, psad_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_append_log'($*)) dnl - ') - - -######################################## -## -## Read and write psad fifo files. -## -## -## -## Domain allowed access. -## -## -# - define(`psad_rw_fifo_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_rw_fifo_file'($*)) dnl - - gen_require(` - type psad_var_lib_t; - ') - - files_search_var_lib($1) - rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_rw_fifo_file'($*)) dnl - ') - - -####################################### -## -## Read and write psad temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`psad_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_rw_tmp_files'($*)) dnl - - gen_require(` - type psad_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, psad_tmp_t, psad_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_rw_tmp_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an psad environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`psad_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `psad_admin'($*)) dnl - - gen_require(` - type psad_t, psad_runtime_t, psad_var_log_t; - type psad_initrc_exec_t, psad_var_lib_t; - type psad_tmp_t, psad_etc_t; - ') - - allow $1 psad_t:process { ptrace signal_perms }; - ps_process_pattern($1, psad_t) - - init_startstop_service($1, $2, psad_t, psad_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, psad_etc_t) - - files_search_pids($1) - admin_pattern($1, psad_runtime_t) - - logging_search_logs($1) - admin_pattern($1, psad_var_log_t) - - files_search_var_lib($1) - admin_pattern($1, psad_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, psad_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `psad_admin'($*)) dnl - ') - -## Content-based spam filter designed for multi-user enterprise systems. - -######################################## -## -## Execute a domain transition to run dspam. -## -## -## -## Domain allowed access. -## -## -# - define(`dspam_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dspam_domtrans'($*)) dnl - - gen_require(` - type dspam_t, dspam_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dspam_exec_t, dspam_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dspam_domtrans'($*)) dnl - ') - - -####################################### -## -## Connect to dspam using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`dspam_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dspam_stream_connect'($*)) dnl - - gen_require(` - type dspam_t, dspam_runtime_t; - ') - - files_search_pids($1) - files_search_tmp($1) - stream_connect_pattern($1, dspam_runtime_t, dspam_runtime_t, dspam_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dspam_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an dspam environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dspam_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dspam_admin'($*)) dnl - - gen_require(` - type dspam_t, dspam_initrc_exec_t, dspam_log_t; - type dspam_var_lib_t, dspam_runtime_t; - ') - - allow $1 dspam_t:process { ptrace signal_perms }; - ps_process_pattern($1, dspam_t) - - init_startstop_service($1, $2, dspam_t, dspam_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, dspam_log_t) - - files_search_var_lib($1) - admin_pattern($1, dspam_var_lib_t) - - files_search_pids($1) - admin_pattern($1, dspam_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dspam_admin'($*)) dnl - ') - -## Implementations of the Cryptoki specification. - -######################################## -## -## All of the rules required to -## administrate an pkcs slotd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pkcs_admin_slotd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pkcs_admin_slotd'($*)) dnl - - gen_require(` - type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t; - type pkcs_slotd_runtime_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; - ') - - allow $1 pkcs_slotd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pkcs_slotd_t) - - init_startstop_service($1, $2, pkcs_slotd_t, pkcs_slotd_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, pkcs_slotd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, pkcs_slotd_runtime_t) - - files_search_tmp($1) - admin_pattern($1, pkcs_slotd_tmp_t) - - fs_search_tmpfs($1) - admin_pattern($1, pkcs_slotd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pkcs_admin_slotd'($*)) dnl - ') - -## Monopoly daemon. - -######################################## -## -## All of the rules required to -## administrate an monop environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`monop_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `monop_admin'($*)) dnl - - gen_require(` - type monopd_t, monopd_initrc_exec_t, monopd_share_t; - type monopd_etc_t, monopd_runtime_t; - ') - - allow $1 monopd_t:process { ptrace signal_perms }; - ps_process_pattern($1, monopd_t) - - init_startstop_service($1, $2, monopd_t, monopd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, monopd_etc_t) - - files_search_pids($1) - admin_pattern($1, monopd_runtime_t) - - files_search_usr($1) - admin_pattern($1, monopd_share_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `monop_admin'($*)) dnl - ') - -## Mail transfer agent. - -######################################## -## -## Execute exim in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_exec'($*)) dnl - - gen_require(` - type exim_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, exim_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_exec'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run exim. -## -## -## -## Domain allowed to transition. -## -## -# - define(`exim_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_domtrans'($*)) dnl - - gen_require(` - type exim_t, exim_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, exim_exec_t, exim_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute exim in the exim domain, -## and allow the specified role -## the exim domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`exim_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_run'($*)) dnl - - gen_require(` - attribute_role exim_roles; - ') - - exim_domtrans($1) - roleattribute $2 exim_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_run'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read exim -## temporary tmp files. -## -## -## -## Domain to not audit. -## -## -# - define(`exim_dontaudit_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_dontaudit_read_tmp_files'($*)) dnl - - gen_require(` - type exim_tmp_t; - ') - - dontaudit $1 exim_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_dontaudit_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read exim temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_read_tmp_files'($*)) dnl - - gen_require(` - type exim_tmp_t; - ') - - allow $1 exim_tmp_t:file read_file_perms; - files_search_tmp($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read exim pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_read_pid_files'($*)) dnl - - gen_require(` - type exim_pid_t; - ') - - allow $1 exim_pid_t:file read_file_perms; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Read exim log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`exim_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_read_log'($*)) dnl - - gen_require(` - type exim_log_t; - ') - - read_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_read_log'($*)) dnl - ') - - -######################################## -## -## Append exim log files. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_append_log'($*)) dnl - - gen_require(` - type exim_log_t; - ') - - append_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## exim log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`exim_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_manage_log'($*)) dnl - - gen_require(` - type exim_log_t; - ') - - manage_files_pattern($1, exim_log_t, exim_log_t) - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_manage_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## exim spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_manage_spool_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_manage_spool_dirs'($*)) dnl - - gen_require(` - type exim_spool_t; - ') - - manage_dirs_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_manage_spool_dirs'($*)) dnl - ') - - -######################################## -## -## Read exim spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_read_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_read_spool_files'($*)) dnl - - gen_require(` - type exim_spool_t; - ') - - allow $1 exim_spool_t:file read_file_perms; - allow $1 exim_spool_t:dir list_dir_perms; - files_search_spool($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_read_spool_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## exim spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_manage_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_manage_spool_files'($*)) dnl - - gen_require(` - type exim_spool_t; - ') - - manage_files_pattern($1, exim_spool_t, exim_spool_t) - files_search_spool($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_manage_spool_files'($*)) dnl - ') - - -######################################## -## -## Read exim var lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_read_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_read_var_lib_files'($*)) dnl - - gen_require(` - type exim_var_lib_t; - ') - - read_files_pattern($1, exim_var_lib_t, exim_var_lib_t) - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_read_var_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, and write exim var lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`exim_manage_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_manage_var_lib_files'($*)) dnl - - gen_require(` - type exim_var_lib_t; - ') - - manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t) - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_manage_var_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an exim environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`exim_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `exim_admin'($*)) dnl - - gen_require(` - type exim_t, exim_spool_t, exim_log_t; - type exim_pid_t, exim_initrc_exec_t, exim_tmp_t; - type exim_keytab_t; - ') - - allow $1 exim_t:process { ptrace signal_perms }; - ps_process_pattern($1, exim_t) - - init_startstop_service($1, $2, exim_t, exim_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, exim_keytab_t) - - files_search_spool($1) - admin_pattern($1, exim_spool_t) - - logging_search_logs($1) - admin_pattern($1, exim_log_t) - - files_search_pids($1) - admin_pattern($1, exim_pid_t) - - files_search_tmp($1) - admin_pattern($1, exim_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `exim_admin'($*)) dnl - ') - -## Simple network management protocol services. - -######################################## -## -## Connect to snmpd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`snmp_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_stream_connect'($*)) dnl - - gen_require(` - type snmpd_t, snmpd_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_stream_connect'($*)) dnl - ') - - -######################################## -## -## Connect to snmp over the TCP network. -## -## -## -## Domain allowed access. -## -## -# - define(`snmp_tcp_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_tcp_connect'($*)) dnl - - gen_require(` - type snmpd_t; - ') - - corenet_tcp_recvfrom_labeled($1, snmpd_t) - corenet_tcp_connect_snmp_port($1) - corenet_sendrecv_snmp_client_packets($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_tcp_connect'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## snmp lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`snmp_manage_var_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_manage_var_lib_dirs'($*)) dnl - - gen_require(` - type snmpd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 snmpd_var_lib_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_manage_var_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## snmp lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`snmp_manage_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_manage_var_lib_files'($*)) dnl - - gen_require(` - type snmpd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 snmpd_var_lib_t:dir list_dir_perms; - manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_manage_var_lib_files'($*)) dnl - ') - - -######################################## -## -## Read snmpd lib content. -## -## -## -## Domain allowed access. -## -## -# - define(`snmp_read_snmp_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_read_snmp_var_lib_files'($*)) dnl - - gen_require(` - type snmpd_var_lib_t; - ') - - allow $1 snmpd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_read_snmp_var_lib_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read -## snmpd lib content. -## -## -## -## Domain to not audit. -## -## -# - define(`snmp_dontaudit_read_snmp_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_read_snmp_var_lib_files'($*)) dnl - - gen_require(` - type snmpd_var_lib_t; - ') - - dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; - dontaudit $1 snmpd_var_lib_t:file read_file_perms; - dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_dontaudit_read_snmp_var_lib_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write -## snmpd lib files. -## -## -## -## Domain to not audit. -## -## -# - define(`snmp_dontaudit_write_snmp_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_write_snmp_var_lib_files'($*)) dnl - - gen_require(` - type snmpd_var_lib_t; - ') - - dontaudit $1 snmpd_var_lib_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_dontaudit_write_snmp_var_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an snmp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`snmp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_admin'($*)) dnl - - gen_require(` - type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; - type snmpd_var_lib_t, snmpd_runtime_t; - ') - - allow $1 snmpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, snmpd_t) - - init_startstop_service($1, $2, snmpd_t, snmpd_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, snmpd_log_t) - - files_list_var_lib($1) - admin_pattern($1, snmpd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, snmpd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_admin'($*)) dnl - ') - - -# Gentoo stuff but cannot use ifdef distro_gentoo - -######################################## -## -## Append to the snmp variable lib data -## -## -## -## Domain allowed access. -## -## -# - define(`snmp_append_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `snmp_append_var_lib_files'($*)) dnl - - gen_require(` - type snmp_var_lib_t; - ') - - allow $1 snmp_var_lib_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `snmp_append_var_lib_files'($*)) dnl - ') - -## Virtual network service for Openstack. - -######################################## -## -## All of the rules required to -## administrate an quantum environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`quantum_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `quantum_admin'($*)) dnl - - gen_require(` - type quantum_t, quantum_initrc_exec_t, quantum_log_t; - type quantum_var_lib_t, quantum_tmp_t; - ') - - allow $1 quantum_t:process { ptrace signal_perms }; - ps_process_pattern($1, quantum_t) - - init_startstop_service($1, $2, quantum_t, quantum_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, quantum_log_t) - - files_search_var_lib($1) - admin_pattern($1, quantum_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, quantum_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `quantum_admin'($*)) dnl - ') - -## Encrypted tunnel daemon. - -######################################## -## -## All of the rules required to -## administrate an cipe environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cipe_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cipe_admin'($*)) dnl - - gen_require(` - type ciped_t, ciped_initrc_exec_t; - ') - - allow $1 ciped_t:process { ptrace signal_perms }; - ps_process_pattern($1, ciped_t) - - init_startstop_service($1, $2, ciped_t, ciped_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cipe_admin'($*)) dnl - ') - -## Zarafa collaboration platform. - -####################################### -## -## The template to define a zarafa domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`zarafa_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zarafa_domain_template'($*)) dnl - - gen_require(` - attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; - ') - - ######################################## - # - # Declarations - # - - type zarafa_$1_t, zarafa_domain; - type zarafa_$1_exec_t; - init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) - - type zarafa_$1_log_t, zarafa_logfile; - logging_log_file(zarafa_$1_log_t) - - type zarafa_$1_runtime_t alias zarafa_$1_var_run_t, zarafa_pidfile; - files_pid_file(zarafa_$1_runtime_t) - - ######################################## - # - # Policy - # - - manage_files_pattern(zarafa_$1_t, zarafa_$1_runtime_t, zarafa_$1_runtime_t) - manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_runtime_t, zarafa_$1_runtime_t) - files_pid_filetrans(zarafa_$1_t, zarafa_$1_runtime_t, { file sock_file }) - - append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file) - - auth_use_nsswitch(zarafa_$1_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zarafa_domain_template'($*)) dnl - ') - - -###################################### -## -## search zarafa configuration directories. -## -## -## -## Domain allowed access. -## -## -# - define(`zarafa_search_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zarafa_search_config'($*)) dnl - - gen_require(` - type zarafa_etc_t; - ') - - files_search_etc($1) - allow $1 zarafa_etc_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zarafa_search_config'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run zarafa deliver. -## -## -## -## Domain allowed to transition. -## -## -# - define(`zarafa_domtrans_deliver',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zarafa_domtrans_deliver'($*)) dnl - - gen_require(` - type zarafa_deliver_t, zarafa_deliver_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zarafa_domtrans_deliver'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run zarafa server. -## -## -## -## Domain allowed to transition. -## -## -# - define(`zarafa_domtrans_server',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zarafa_domtrans_server'($*)) dnl - - gen_require(` - type zarafa_server_t, zarafa_server_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zarafa_domtrans_server'($*)) dnl - ') - - -####################################### -## -## Connect to zarafa server with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`zarafa_stream_connect_server',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zarafa_stream_connect_server'($*)) dnl - - gen_require(` - type zarafa_server_t, zarafa_server_runtime_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, zarafa_server_runtime_t, zarafa_server_runtime_t, zarafa_server_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zarafa_stream_connect_server'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an zarafa environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`zarafa_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zarafa_admin'($*)) dnl - - gen_require(` - attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; - type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t; - type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t; - type zarafa_var_lib_t; - ') - - allow $1 zarafa_domain:process { ptrace signal_perms }; - ps_process_pattern($1, zarafa_domain) - - init_startstop_service($1, $2, zarafa_t, zarafa_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, zarafa_etc_t) - - files_search_tmp($1) - admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t }) - - logging_search_logs($1) - admin_pattern($1, zarafa_logfile) - - files_search_var_lib($1) - admin_pattern($1, { zarafa_var_lib_t zarafa_share_t }) - - files_search_pids($1) - admin_pattern($1, zarafa_pidfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zarafa_admin'($*)) dnl - ') - -## General Purpose Mouse driver. - -######################################## -## -## Connect to GPM over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`gpm_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpm_stream_connect'($*)) dnl - - gen_require(` - type gpmctl_t, gpm_t; - ') - - dev_list_all_dev_nodes($1) - stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpm_stream_connect'($*)) dnl - ') - - -######################################## -## -## Get attributes of gpm control -## channel named sock files. -## -## -## -## Domain allowed access. -## -## -# - define(`gpm_getattr_gpmctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpm_getattr_gpmctl'($*)) dnl - - gen_require(` - type gpmctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file getattr_sock_file_perms; - allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpm_getattr_gpmctl'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get -## attributes of gpm control channel -## named sock files. -## -## -## -## Domain to not audit. -## -## -# - define(`gpm_dontaudit_getattr_gpmctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpm_dontaudit_getattr_gpmctl'($*)) dnl - - gen_require(` - type gpmctl_t; - ') - - dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; - dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpm_dontaudit_getattr_gpmctl'($*)) dnl - ') - - -######################################## -## -## Set attributes of gpm control -## channel named sock files. -## -## -## -## Domain allowed access. -## -## -# - define(`gpm_setattr_gpmctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpm_setattr_gpmctl'($*)) dnl - - gen_require(` - type gpmctl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 gpmctl_t:sock_file setattr_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpm_setattr_gpmctl'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an gpm environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`gpm_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpm_admin'($*)) dnl - - gen_require(` - type gpm_t, gpm_conf_t, gpm_initrc_exec_t; - type gpm_runtime_t, gpmctl_t; - ') - - allow $1 gpm_t:process { ptrace signal_perms }; - ps_process_pattern($1, gpm_t) - - init_startstop_service($1, $2, gpm_t, gpm_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, gpm_conf_t) - - dev_list_all_dev_nodes($1) - admin_pattern($1, gpmctl_t) - - files_search_pids($1) - admin_pattern($1, gpm_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpm_admin'($*)) dnl - ') - -## full-featured SSL VPN solution. - -######################################## -## -## Execute openvpn clients in the -## openvpn domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`openvpn_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvpn_domtrans'($*)) dnl - - gen_require(` - type openvpn_t, openvpn_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, openvpn_exec_t, openvpn_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvpn_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute openvpn clients in the -## openvpn domain, and allow the -## specified role the openvpn domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`openvpn_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvpn_run'($*)) dnl - - gen_require(` - attribute_role openvpn_roles; - ') - - openvpn_domtrans($1) - roleattribute $2 openvpn_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvpn_run'($*)) dnl - ') - - -######################################## -## -## Send kill signals to openvpn. -## -## -## -## Domain allowed access. -## -## -# - define(`openvpn_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvpn_kill'($*)) dnl - - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvpn_kill'($*)) dnl - ') - - -######################################## -## -## Send generic signals to openvpn. -## -## -## -## Domain allowed access. -## -## -# - define(`openvpn_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvpn_signal'($*)) dnl - - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvpn_signal'($*)) dnl - ') - - -######################################## -## -## Send null signals to openvpn. -## -## -## -## Domain allowed access. -## -## -# - define(`openvpn_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvpn_signull'($*)) dnl - - gen_require(` - type openvpn_t; - ') - - allow $1 openvpn_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvpn_signull'($*)) dnl - ') - - -######################################## -## -## Read openvpn configuration content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`openvpn_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvpn_read_config'($*)) dnl - - gen_require(` - type openvpn_etc_t; - ') - - files_search_etc($1) - allow $1 openvpn_etc_t:dir list_dir_perms; - allow $1 openvpn_etc_t:file read_file_perms; - allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvpn_read_config'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an openvpn environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`openvpn_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvpn_admin'($*)) dnl - - gen_require(` - type openvpn_t, openvpn_etc_t, openvpn_var_log_t; - type openvpn_runtime_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; - type openvpn_status_t; - ') - - allow $1 openvpn_t:process { ptrace signal_perms }; - ps_process_pattern($1, openvpn_t) - - init_startstop_service($1, $2, openvpn_t, openvpn_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) - - logging_list_logs($1) - admin_pattern($1, { openvpn_status_t openvpn_var_log_t }) - - files_list_pids($1) - admin_pattern($1, openvpn_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvpn_admin'($*)) dnl - ') - -## Dynamic adaptive system tuning daemon. - -######################################## -## -## Execute a domain transition to run tuned. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tuned_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tuned_domtrans'($*)) dnl - - gen_require(` - type tuned_t, tuned_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tuned_exec_t, tuned_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tuned_domtrans'($*)) dnl - ') - - -####################################### -## -## Execute tuned in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`tuned_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tuned_exec'($*)) dnl - - gen_require(` - type tuned_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, tuned_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tuned_exec'($*)) dnl - ') - - -###################################### -## -## Read tuned pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`tuned_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tuned_read_pid_files'($*)) dnl - - gen_require(` - type tuned_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, tuned_runtime_t, tuned_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tuned_read_pid_files'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## tuned pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`tuned_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tuned_manage_pid_files'($*)) dnl - - gen_require(` - type tuned_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, tuned_runtime_t, tuned_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tuned_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Execute tuned init scripts in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tuned_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tuned_initrc_domtrans'($*)) dnl - - gen_require(` - type tuned_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, tuned_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tuned_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an tuned environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tuned_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tuned_admin'($*)) dnl - - gen_require(` - type tuned_t, tuned_runtime_t, tuned_initrc_exec_t; - type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; - ') - - allow $1 tuned_t:process { ptrace signal_perms }; - ps_process_pattern($1, tuned_t) - - init_startstop_service($1, $2, tuned_t, tuned_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, { tuned_etc_t tuned_rw_etc_t }) - - logging_search_logs($1) - admin_pattern($1, tuned_log_t) - - files_search_pids($1) - admin_pattern($1, tuned_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tuned_admin'($*)) dnl - ') - -## High-performance interface between an email server and content checkers. - -######################################## -## -## Execute a domain transition to run amavis. -## -## -## -## Domain allowed to transition. -## -## -# - define(`amavis_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_domtrans'($*)) dnl - - gen_require(` - type amavis_t, amavis_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, amavis_exec_t, amavis_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute amavis server in the amavis domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`amavis_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_initrc_domtrans'($*)) dnl - - gen_require(` - type amavis_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, amavis_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read amavis spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`amavis_read_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_read_spool_files'($*)) dnl - - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, amavis_spool_t, amavis_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_read_spool_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## amavis spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`amavis_manage_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_manage_spool_files'($*)) dnl - - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t) - manage_files_pattern($1, amavis_spool_t, amavis_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_manage_spool_files'($*)) dnl - ') - - -######################################## -## -## Create objects in the amavis spool directories -## with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`amavis_spool_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_spool_filetrans'($*)) dnl - - gen_require(` - type amavis_spool_t; - ') - - files_search_spool($1) - filetrans_pattern($1, amavis_spool_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_spool_filetrans'($*)) dnl - ') - - -######################################## -## -## Search amavis lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`amavis_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_search_lib'($*)) dnl - - gen_require(` - type amavis_var_lib_t; - ') - - allow $1 amavis_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_search_lib'($*)) dnl - ') - - -######################################## -## -## Read amavis lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`amavis_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_read_lib_files'($*)) dnl - - gen_require(` - type amavis_var_lib_t; - ') - - read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) - allow $1 amavis_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## amavis lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`amavis_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_manage_lib_files'($*)) dnl - - gen_require(` - type amavis_var_lib_t; - ') - - manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Set attributes of amavis pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`amavis_setattr_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_setattr_pid_files'($*)) dnl - - gen_require(` - type amavis_runtime_t; - ') - - allow $1 amavis_runtime_t:file setattr_file_perms; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_setattr_pid_files'($*)) dnl - ') - - -######################################## -## -## Create amavis pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`amavis_create_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_create_pid_files'($*)) dnl - - gen_require(` - type amavis_runtime_t; - ') - - allow $1 amavis_runtime_t:dir add_entry_dir_perms; - allow $1 amavis_runtime_t:file create_file_perms; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_create_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an amavis environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`amavis_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `amavis_admin'($*)) dnl - - gen_require(` - type amavis_t, amavis_tmp_t, amavis_var_log_t; - type amavis_spool_t, amavis_var_lib_t, amavis_runtime_t; - type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; - ') - - allow $1 amavis_t:process { ptrace signal_perms }; - ps_process_pattern($1, amavis_t) - - init_startstop_service($1, $2, amavis_t, amavis_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, amavis_etc_t) - - admin_pattern($1, amavis_quarantine_t) - - files_list_spool($1) - admin_pattern($1, amavis_spool_t) - - files_list_tmp($1) - admin_pattern($1, amavis_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, amavis_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, amavis_var_log_t) - - files_list_pids($1) - admin_pattern($1, amavis_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `amavis_admin'($*)) dnl - ') - -## Likewise Active Directory support for UNIX. - -####################################### -## -## The template to define a likewise domain. -## -## -## -## The type of daemon to be used. -## -## -# - define(`likewise_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `likewise_domain_template'($*)) dnl - - gen_require(` - attribute likewise_domains; - type likewise_var_lib_t; - ') - - ######################################## - # - # Declarations - # - - type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - - typeattribute $1_t likewise_domains; - - type $1_runtime_t alias $1_var_run_t; - files_pid_file($1_runtime_t) - - type $1_var_socket_t; - files_type($1_var_socket_t) - - type $1_var_lib_t; - files_type($1_var_lib_t) - - #################################### - # - # Policy - # - - allow $1_t self:process { signal_perms getsched setsched }; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_stream_socket { accept listen }; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - - manage_files_pattern($1_t, $1_runtime_t, $1_runtime_t) - files_pid_filetrans($1_t, $1_runtime_t, file) - - manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) - - manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `likewise_domain_template'($*)) dnl - ') - - -######################################## -## -## Connect to lsassd with a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`likewise_stream_connect_lsassd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `likewise_stream_connect_lsassd'($*)) dnl - - gen_require(` - type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `likewise_stream_connect_lsassd'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an likewise environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`likewise_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `likewise_admin'($*)) dnl - - gen_require(` - attribute likewise_domains; - type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t; - type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t; - type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t; - type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t; - type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t; - type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t; - type eventlogd_runtime_t, lsassd_runtime_t, lwiod_runtime_t; - type lwregd_runtime_t, netlogond_runtime_t, srvsvcd_runtime_t; - ') - - allow $1 likewise_domains:process { ptrace signal_perms }; - ps_process_pattern($1, likewise_domains) - - init_startstop_service($1, $2, likewise_domains, likewise_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t }) - - files_search_var_lib($1) - admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t }) - admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t }) - admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t }) - admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t }) - admin_pattern($1, dcerpcd_var_lib_t) - - files_list_tmp($1) - admin_pattern($1, lsassd_tmp_t) - - files_list_pids($1) - admin_pattern($1, { eventlogd_runtime_t lsassd_runtime_t lwiod_runtime_t }) - admin_pattern($1, { lwregd_runtime_t netlogond_runtime_t srvsvcd_runtime_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `likewise_admin'($*)) dnl - ') - -## PCSC smart card service. - -######################################## -## -## Execute a domain transition to run pcscd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`pcscd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcscd_domtrans'($*)) dnl - - gen_require(` - type pcscd_t, pcscd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pcscd_exec_t, pcscd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcscd_domtrans'($*)) dnl - ') - - -######################################## -## -## Read pcscd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`pcscd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcscd_read_pid_files'($*)) dnl - - gen_require(` - type pcscd_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, pcscd_runtime_t, pcscd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcscd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to pcscd over an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`pcscd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcscd_stream_connect'($*)) dnl - - gen_require(` - type pcscd_t, pcscd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, pcscd_runtime_t, pcscd_runtime_t, pcscd_t) - - allow pcscd_t $1:dir list_dir_perms; - allow pcscd_t $1:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcscd_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an pcscd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pcscd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcscd_admin'($*)) dnl - - gen_require(` - type pcscd_t, pcscd_initrc_exec_t, pcscd_runtime_t; - ') - - allow $1 pcscd_t:process { ptrace signal_perms }; - ps_process_pattern($1, pcscd_t) - - init_startstop_service($1, $2, pcscd_t, pcscd_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, pcscd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcscd_admin'($*)) dnl - ') - -## D-Bus service providing high-level OBEX client and server side functionality. - -####################################### -## -## The role template for obex. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -## -## The role associated with the user domain. -## -## -## -## -## The type of the user domain. -## -## -# - define(`obex_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `obex_role_template'($*)) dnl - - gen_require(` - attribute_role obex_roles; - type obex_t, obex_exec_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $2 obex_roles; - - ######################################## - # - # Policy - # - - allow $3 obex_t:process { ptrace signal_perms }; - ps_process_pattern($3, obex_t) - - dbus_spec_session_domain($1, obex_t, obex_exec_t) - - obex_dbus_chat($3) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `obex_role_template'($*)) dnl - ') - - -######################################## -## -## Execute obex in the obex domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`obex_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `obex_domtrans'($*)) dnl - - gen_require(` - type obex_t, obex_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, obex_exec_t, obex_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `obex_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## obex over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`obex_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `obex_dbus_chat'($*)) dnl - - gen_require(` - type obex_t; - class dbus send_msg; - ') - - allow $1 obex_t:dbus send_msg; - allow obex_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `obex_dbus_chat'($*)) dnl - ') - -## External plugin for mod_authnz_external authenticator. - -######################################## -## -## Role access for pwauth. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`pwauth_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pwauth_role'($*)) dnl - - gen_require(` - type pwauth_t; - ') - - pwauth_run($2, $1) - - ps_process_pattern($2, pwauth_t) - allow $2 pwauth_t:process { ptrace signal_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pwauth_role'($*)) dnl - ') - - -######################################## -## -## Execute pwauth in the pwauth domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`pwauth_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pwauth_domtrans'($*)) dnl - - gen_require(` - type pwauth_t, pwauth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, pwauth_exec_t, pwauth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pwauth_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute pwauth in the pwauth -## domain, and allow the specified -## role the pwauth domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`pwauth_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pwauth_run'($*)) dnl - - gen_require(` - attribute_role pwauth_roles; - ') - - pwauth_domtrans($1) - roleattribute $2 pwauth_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pwauth_run'($*)) dnl - ') - -## Automated bug-reporting tool. - -###################################### -## -## Execute abrt in the abrt domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`abrt_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_domtrans'($*)) dnl - - gen_require(` - type abrt_t, abrt_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, abrt_exec_t, abrt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_domtrans'($*)) dnl - ') - - -###################################### -## -## Execute abrt in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_exec'($*)) dnl - - gen_require(` - type abrt_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, abrt_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_exec'($*)) dnl - ') - - -######################################## -## -## Send null signals to abrt. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_signull'($*)) dnl - - gen_require(` - type abrt_t; - ') - - allow $1 abrt_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_signull'($*)) dnl - ') - - -######################################## -## -## Read process state of abrt. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_read_state'($*)) dnl - - gen_require(` - type abrt_t; - ') - - ps_process_pattern($1, abrt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_read_state'($*)) dnl - ') - - -######################################## -## -## Connect to abrt over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_stream_connect'($*)) dnl - - gen_require(` - type abrt_t, abrt_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, abrt_runtime_t, abrt_runtime_t, abrt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_stream_connect'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## abrt over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_dbus_chat'($*)) dnl - - gen_require(` - type abrt_t; - class dbus send_msg; - ') - - allow $1 abrt_t:dbus send_msg; - allow abrt_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_dbus_chat'($*)) dnl - ') - - -##################################### -## -## Execute abrt-helper in the abrt -## helper domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`abrt_domtrans_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_domtrans_helper'($*)) dnl - - gen_require(` - type abrt_helper_t, abrt_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_domtrans_helper'($*)) dnl - ') - - -######################################## -## -## Execute abrt helper in the abrt -## helper domain, and allow the -## specified role the abrt helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`abrt_run_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_run_helper'($*)) dnl - - gen_require(` - attribute_role abrt_helper_roles; - ') - - abrt_domtrans_helper($1) - roleattribute $2 abrt_helper_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_run_helper'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## abrt cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_manage_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_manage_cache'($*)) dnl - - gen_require(` - type abrt_var_cache_t; - ') - - files_search_var($1) - manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_manage_cache'($*)) dnl - ') - - -#################################### -## -## Read abrt configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_read_config'($*)) dnl - - gen_require(` - type abrt_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, abrt_etc_t, abrt_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_read_config'($*)) dnl - ') - - -###################################### -## -## Read abrt log files. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_read_log'($*)) dnl - - gen_require(` - type abrt_var_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_read_log'($*)) dnl - ') - - -###################################### -## -## Read abrt PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_read_pid_files'($*)) dnl - - gen_require(` - type abrt_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, abrt_runtime_t, abrt_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_read_pid_files'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## abrt PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`abrt_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_manage_pid_files'($*)) dnl - - gen_require(` - type abrt_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, abrt_runtime_t, abrt_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_manage_pid_files'($*)) dnl - ') - - -##################################### -## -## All of the rules required to -## administrate an abrt environment, -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`abrt_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `abrt_admin'($*)) dnl - - gen_require(` - attribute abrt_domain; - type abrt_t, abrt_etc_t, abrt_initrc_exec_t; - type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t; - type abrt_runtime_t, abrt_tmp_t, abrt_retrace_spool_t; - ') - - allow $1 abrt_domain:process { ptrace signal_perms }; - ps_process_pattern($1, abrt_domain) - - init_startstop_service($1, $2, abrt_t, abrt_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, abrt_etc_t) - - logging_search_logs($1) - admin_pattern($1, abrt_var_log_t) - - files_search_var($1) - admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t }) - - files_search_pids($1) - admin_pattern($1, abrt_runtime_t) - - files_search_tmp($1) - admin_pattern($1, abrt_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `abrt_admin'($*)) dnl - ') - -## Port of Apple Rendezvous multicast DNS. - -######################################## -## -## Send generic signals to howl. -## -## -## -## Domain allowed access. -## -## -# - define(`howl_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `howl_signal'($*)) dnl - - gen_require(` - type howl_t; - ') - - allow $1 howl_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `howl_signal'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an howl environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`howl_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `howl_admin'($*)) dnl - - gen_require(` - type howl_t, howl_initrc_exec_t, howl_runtime_t; - ') - - allow $1 howl_t:process { ptrace signal_perms }; - ps_process_pattern($1, howl_t) - - init_startstop_service($1, $2, howl_t, howl_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, howl_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `howl_admin'($*)) dnl - ') - -## Cobbler installation server. - -######################################## -## -## Execute a domain transition to run cobblerd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cobblerd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cobblerd_domtrans'($*)) dnl - - gen_require(` - type cobblerd_t, cobblerd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cobblerd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute cobblerd init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cobblerd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cobblerd_initrc_domtrans'($*)) dnl - - gen_require(` - type cobblerd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cobblerd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read cobbler configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`cobbler_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cobbler_read_config'($*)) dnl - - gen_require(` - type cobbler_etc_t; - ') - - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) - files_search_etc($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cobbler_read_config'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## cobbler log files. -## -## -## -## Domain to not audit. -## -## -# - define(`cobbler_dontaudit_rw_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cobbler_dontaudit_rw_log'($*)) dnl - - gen_require(` - type cobbler_var_log_t; - ') - - dontaudit $1 cobbler_var_log_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cobbler_dontaudit_rw_log'($*)) dnl - ') - - -######################################## -## -## Search cobbler lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`cobbler_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cobbler_search_lib'($*)) dnl - - gen_require(` - type cobbler_var_lib_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cobbler_search_lib'($*)) dnl - ') - - -######################################## -## -## Read cobbler lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`cobbler_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cobbler_read_lib_files'($*)) dnl - - gen_require(` - type cobbler_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cobbler_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## cobbler lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`cobbler_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cobbler_manage_lib_files'($*)) dnl - - gen_require(` - type cobbler_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cobbler_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an cobbler environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cobbler_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cobbler_admin'($*)) dnl - - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t; - type cobbler_tmp_t; - ') - - allow $1 cobblerd_t:process { ptrace signal_perms }; - ps_process_pattern($1, cobblerd_t) - - init_startstop_service($1, $2, cobblerd_t, cobblerd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, cobbler_etc_t) - - files_search_tmp($1) - admin_pattern($1, cobbler_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, cobbler_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, cobbler_var_log_t) - - apache_search_sys_content($1) - admin_pattern($1, cobbler_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cobbler_admin'($*)) dnl - ') - -## Common UNIX printing system. - -######################################## -## -## Create a domain which can be -## started by cupsd. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# - define(`cups_backend',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_backend'($*)) dnl - - gen_require(` - type cupsd_t; - ') - - domain_type($1) - domain_entry_file($1, $2) - role system_r types $1; - - domtrans_pattern(cupsd_t, $2, $1) - allow cupsd_t $1:process signal; - allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; - - cups_read_config($1) - cups_append_log($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_backend'($*)) dnl - ') - - -######################################## -## -## Execute cups in the cups domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cups_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_domtrans'($*)) dnl - - gen_require(` - type cupsd_t, cupsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cupsd_exec_t, cupsd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_domtrans'($*)) dnl - ') - - -######################################## -## -## Connect to cupsd over an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_stream_connect'($*)) dnl - - gen_require(` - type cupsd_t, cupsd_runtime_t; - ') - - files_search_pids($1) - allow $1 cupsd_runtime_t:sock_file read_sock_file_perms; - stream_connect_pattern($1, cupsd_runtime_t, cupsd_runtime_t, cupsd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_stream_connect'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## cups over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_dbus_chat'($*)) dnl - - gen_require(` - type cupsd_t; - class dbus send_msg; - ') - - allow $1 cupsd_t:dbus send_msg; - allow cupsd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Read cups PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_read_pid_files'($*)) dnl - - gen_require(` - type cupsd_runtime_t; - ') - - files_search_pids($1) - allow $1 cupsd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Execute cups_config in the -## cups config domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cups_domtrans_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_domtrans_config'($*)) dnl - - gen_require(` - type cupsd_config_t, cupsd_config_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_domtrans_config'($*)) dnl - ') - - -######################################## -## -## Send generic signals to the cups -## configuration daemon. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_signal_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_signal_config'($*)) dnl - - gen_require(` - type cupsd_config_t; - ') - - allow $1 cupsd_config_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_signal_config'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## cupsd_config over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_dbus_chat_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_dbus_chat_config'($*)) dnl - - gen_require(` - type cupsd_config_t; - class dbus send_msg; - ') - - allow $1 cupsd_config_t:dbus send_msg; - allow cupsd_config_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_dbus_chat_config'($*)) dnl - ') - - -######################################## -## -## Read cups configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`cups_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_read_config'($*)) dnl - - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, { cupsd_etc_t cupsd_rw_etc_t }, { cupsd_etc_t cupsd_rw_etc_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_read_config'($*)) dnl - ') - - -######################################## -## -## Read cups-writable configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`cups_read_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_read_rw_config'($*)) dnl - - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, { cupsd_etc_t cupsd_rw_etc_t }, cupsd_rw_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_read_rw_config'($*)) dnl - ') - - -######################################## -## -## Read cups log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`cups_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_read_log'($*)) dnl - - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - allow $1 cupsd_log_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_read_log'($*)) dnl - ') - - -######################################## -## -## Append cups log files. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_append_log'($*)) dnl - - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, cupsd_log_t, cupsd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_append_log'($*)) dnl - ') - - -######################################## -## -## Write cups log files. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_write_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_write_log'($*)) dnl - - gen_require(` - type cupsd_log_t; - ') - - logging_search_logs($1) - allow $1 cupsd_log_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_write_log'($*)) dnl - ') - - -######################################## -## -## Connect to ptal over an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_stream_connect_ptal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_stream_connect_ptal'($*)) dnl - - gen_require(` - type ptal_t, ptal_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ptal_runtime_t, ptal_runtime_t, ptal_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_stream_connect_ptal'($*)) dnl - ') - - -######################################## -## -## Read the process state (/proc/pid) of cupsd. -## -## -## -## Domain allowed access. -## -## -# - define(`cups_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_read_state'($*)) dnl - - gen_require(` - type cupsd_t; - ') - - allow $1 cupsd_t:dir search_dir_perms; - allow $1 cupsd_t:file read_file_perms; - allow $1 cupsd_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_read_state'($*)) dnl - ') - - -######################################## -## -## Execute HP Linux Imaging and -## Printing applications in their -## own domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cups_domtrans_hplip',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_domtrans_hplip'($*)) dnl - - gen_require(` - type hplip_t, hplip_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hplip_exec_t, hplip_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_domtrans_hplip'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an cups environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cups_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cups_admin'($*)) dnl - - gen_require(` - type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; - type cupsd_etc_t, cupsd_log_t; - type cupsd_config_runtime_t, cupsd_lpd_runtime_t; - type cupsd_runtime_t, ptal_etc_t, cupsd_rw_etc_t; - type ptal_runtime_t, hplip_runtime_t, cupsd_initrc_exec_t; - type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; - type hplip_t, ptal_t; - ') - - allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; - allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) - ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) - - init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t }) - - logging_list_logs($1) - admin_pattern($1, cupsd_log_t) - - files_list_spool($1) - - files_list_tmp($1) - admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) - - files_list_pids($1) - admin_pattern($1, { cupsd_config_runtime_t cupsd_runtime_t hplip_runtime_t }) - admin_pattern($1, { ptal_runtime_t cupsd_lpd_runtime_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cups_admin'($*)) dnl - ') - -## Portslave terminal server software. - -######################################## -## -## Execute portslave with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`portslave_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portslave_domtrans'($*)) dnl - - gen_require(` - type portslave_t, portslave_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portslave_exec_t, portslave_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portslave_domtrans'($*)) dnl - ') - -## Filter used for removing unsolicited email. - -######################################## -## -## Role access for spamassassin. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`spamassassin_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_role'($*)) dnl - - gen_require(` - type spamc_t, spamc_exec_t, spamc_tmp_t; - type spamassassin_t, spamassassin_exec_t, spamd_home_t; - type spamassassin_home_t, spamassassin_tmp_t; - ') - - role $1 types { spamc_t spamassassin_t }; - - domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) - domtrans_pattern($2, spamc_exec_t, spamc_t) - - admin_process_pattern($2, { spamc_t spamassassin_t }) - - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin") - userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_role'($*)) dnl - ') - - -######################################## -## -## Execute sa-update in the spamd-update domain, -## and allow the specified role -## the spamd-update domain. Also allow transitive -## access to the private gpg domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`spamassassin_run_update',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_run_update'($*)) dnl - - gen_require(` - type spamd_gpg_t, spamd_update_exec_t, spamd_update_t; - ') - - role $2 types { spamd_gpg_t spamd_update_t }; - domtrans_pattern($1, spamd_update_exec_t, spamd_update_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_run_update'($*)) dnl - ') - - -######################################## -## -## Execute the standalone spamassassin -## program in the caller directory. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_exec'($*)) dnl - - gen_require(` - type spamassassin_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, spamassassin_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_exec'($*)) dnl - ') - - -######################################## -## -## Send generic signals to spamd. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_signal_spamd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_signal_spamd'($*)) dnl - - gen_require(` - type spamd_t; - ') - - allow $1 spamd_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_signal_spamd'($*)) dnl - ') - - -######################################## -## -## Execute spamd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_exec_spamd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_exec_spamd'($*)) dnl - - gen_require(` - type spamd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, spamd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_exec_spamd'($*)) dnl - ') - - -######################################## -## -## Execute spamc in the spamc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`spamassassin_domtrans_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_client'($*)) dnl - - gen_require(` - type spamc_t, spamc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, spamc_exec_t, spamc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_client'($*)) dnl - ') - - -######################################## -## -## Execute spamc in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_exec_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_exec_client'($*)) dnl - - gen_require(` - type spamc_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, spamc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_exec_client'($*)) dnl - ') - - -######################################## -## -## Send kill signals to spamc. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_kill_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_kill_client'($*)) dnl - - gen_require(` - type spamc_t; - ') - - allow $1 spamc_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_kill_client'($*)) dnl - ') - - -######################################## -## -## Execute spamassassin standalone client -## in the user spamassassin domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`spamassassin_domtrans_local_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_local_client'($*)) dnl - - gen_require(` - type spamassassin_t, spamassassin_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_local_client'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## spamd home content. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_manage_spamd_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_manage_spamd_home_content'($*)) dnl - - gen_require(` - type spamd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 spamd_home_t:dir manage_dir_perms; - allow $1 spamd_home_t:file manage_file_perms; - allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_manage_spamd_home_content'($*)) dnl - ') - - -######################################## -## -## Relabel spamd home content. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_relabel_spamd_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_relabel_spamd_home_content'($*)) dnl - - gen_require(` - type spamd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 spamd_home_t:dir relabel_dir_perms; - allow $1 spamd_home_t:file relabel_file_perms; - allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_relabel_spamd_home_content'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the spamd home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`spamassassin_home_filetrans_spamd_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_home_filetrans_spamd_home'($*)) dnl - - gen_require(` - type spamd_home_t; - ') - - userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_home_filetrans_spamd_home'($*)) dnl - ') - - -######################################## -## -## Read spamd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_read_lib_files'($*)) dnl - - gen_require(` - type spamd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## spamd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_manage_lib_files'($*)) dnl - - gen_require(` - type spamd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Read spamd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_read_spamd_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_read_spamd_pid_files'($*)) dnl - - gen_require(` - type spamd_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, spamd_runtime_t, spamd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_read_spamd_pid_files'($*)) dnl - ') - - -######################################## -## -## Read temporary spamd files. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_read_spamd_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_read_spamd_tmp_files'($*)) dnl - - gen_require(` - type spamd_tmp_t; - ') - - allow $1 spamd_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_read_spamd_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get -## attributes of temporary spamd sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_dontaudit_getattr_spamd_tmp_sockets'($*)) dnl - - gen_require(` - type spamd_tmp_t; - ') - - dontaudit $1 spamd_tmp_t:sock_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_dontaudit_getattr_spamd_tmp_sockets'($*)) dnl - ') - - -######################################## -## -## Connect to spamd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`spamassassin_stream_connect_spamd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_stream_connect_spamd'($*)) dnl - - gen_require(` - type spamd_t, spamd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, spamd_runtime_t, spamd_runtime_t, spamd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_stream_connect_spamd'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an spamassassin environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`spamassassin_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `spamassassin_admin'($*)) dnl - - gen_require(` - type spamd_t, spamd_tmp_t, spamd_log_t; - type spamd_spool_t, spamd_var_lib_t, spamd_runtime_t; - type spamd_initrc_exec_t, spamassassin_unit_t; - type spamd_gpg_t, spamd_update_t, spamd_update_tmp_t; - ') - - admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t }) - - init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t) - - files_list_tmp($1) - admin_pattern($1, { spamd_tmp_t spamd_update_tmp_t }) - - logging_list_logs($1) - admin_pattern($1, spamd_log_t) - - files_list_spool($1) - admin_pattern($1, spamd_spool_t) - - files_list_var_lib($1) - admin_pattern($1, spamd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, spamd_runtime_t) - - # This makes it impossible to apply _admin if _role has already been applied - #spamassassin_role($2, $1) - - # sa-update - spamassassin_run_update($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `spamassassin_admin'($*)) dnl - ') - -## High-performance memory object caching system. - -######################################## -## -## Execute a domain transition to run memcached. -## -## -## -## Domain allowed to transition. -## -## -# - define(`memcached_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `memcached_domtrans'($*)) dnl - - gen_require(` - type memcached_t,memcached_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, memcached_exec_t, memcached_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `memcached_domtrans'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## memcached pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`memcached_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `memcached_manage_pid_files'($*)) dnl - - gen_require(` - type memcached_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, memcached_runtime_t, memcached_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `memcached_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Read memcached pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`memcached_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `memcached_read_pid_files'($*)) dnl - - gen_require(` - type memcached_runtime_t; - ') - - files_search_pids($1) - allow $1 memcached_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `memcached_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to memcached using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`memcached_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `memcached_stream_connect'($*)) dnl - - gen_require(` - type memcached_t, memcached_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, memcached_runtime_t, memcached_runtime_t, memcached_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `memcached_stream_connect'($*)) dnl - ') - - -######################################## -## -## Connect to memcache over the network. -## -## -## -## Domain allowed access. -## -## -# - define(`memcached_tcp_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `memcached_tcp_connect'($*)) dnl - - gen_require(` - type memcached_t; - ') - - corenet_sendrecv_memcache_client_packets($1) - corenet_tcp_connect_memcache_port($1) - corenet_tcp_recvfrom_labeled($1, memcached_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `memcached_tcp_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an memcached environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`memcached_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `memcached_admin'($*)) dnl - - gen_require(` - type memcached_t, memcached_initrc_exec_t, memcached_runtime_t; - ') - - allow $1 memcached_t:process { ptrace signal_perms }; - ps_process_pattern($1, memcached_t) - - init_startstop_service($1, $2, memcached_t, memcached_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, memcached_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `memcached_admin'($*)) dnl - ') - -## Lightweight forwarding and caching proxy server. - -######################################## -## -## Role access for Polipo session. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`polipo_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `polipo_role'($*)) dnl - - gen_require(` - type polipo_session_t, polipo_exec_t, polipo_config_home_t; - type polipo_cache_home_t; - ') - - ######################################## - # - # Declarations - # - - role $1 types polipo_session_t; - - ######################################## - # - # Policy - # - - allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms }; - - userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden") - userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo") - userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache") - - allow $2 polipo_session_t:process { ptrace signal_perms }; - ps_process_pattern($2, polipo_session_t) - - tunable_policy(`polipo_session_users',` - domtrans_pattern($2, polipo_exec_t, polipo_session_t) - ',` - can_exec($2, polipo_exec_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `polipo_role'($*)) dnl - ') - - -######################################## -## -## Execute Polipo in the Polipo -## system domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`polipo_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `polipo_initrc_domtrans'($*)) dnl - - gen_require(` - type polipo_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, polipo_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `polipo_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Create specified objects in generic -## log directories with the polipo -## log file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`polipo_log_filetrans_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `polipo_log_filetrans_log'($*)) dnl - - gen_require(` - type polipo_log_t; - ') - - logging_log_filetrans($1, polipo_log_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `polipo_log_filetrans_log'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an polipo environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`polipo_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `polipo_admin'($*)) dnl - - gen_require(` - type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; - type polipo_conf_t, polipo_log_t, polipo_runtime_t; - ') - - allow $1 polipo_system_t:process { ptrace signal_perms }; - ps_process_pattern($1, polipo_system_t) - - init_startstop_service($1, $2, polipo_t, polipo_initrc_exec_t) - - files_search_var($1) - admin_pattern($1, polipo_cache_t) - - files_search_etc($1) - admin_pattern($1, polipo_conf_t) - - logging_search_logs($1) - admin_pattern($1, polipo_log_t) - - files_search_pids($1) - admin_pattern($1, polipo_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `polipo_admin'($*)) dnl - ') - -## Server for managing and downloading certificate revocation lists. - -############################################################ -## -## Role access for dirmngr. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`dirmngr_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirmngr_role'($*)) dnl - - gen_require(` - type dirmngr_t, dirmngr_exec_t; - type dirmngr_tmp_t; - ') - - role $1 types dirmngr_t; - - domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) - - allow $2 dirmngr_t:process { ptrace signal_perms }; - ps_process_pattern($2, dirmngr_t) - - allow dirmngr_t $2:fd use; - allow dirmngr_t $2:fifo_file { read write }; - - allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirmngr_role'($*)) dnl - ') - - -######################################## -## -## Execute dirmngr in the dirmngr domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dirmngr_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirmngr_domtrans'($*)) dnl - - gen_require(` - type dirmngr_t, dirmngr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirmngr_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the dirmngr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`dirmngr_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirmngr_exec'($*)) dnl - - gen_require(` - type dirmngr_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, dirmngr_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirmngr_exec'($*)) dnl - ') - - -######################################## -## -## Connect to dirmngr socket -## -## -## -## Domain allowed access. -## -## -# - define(`dirmngr_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirmngr_stream_connect'($*)) dnl - - gen_require(` - type dirmngr_t, dirmngr_tmp_t; - ') - - gpg_search_agent_tmp_dirs($1) - allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms; - allow $1 dirmngr_t:unix_stream_socket connectto; - userdom_search_user_runtime($1) - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirmngr_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an dirmngr environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dirmngr_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dirmngr_admin'($*)) dnl - - gen_require(` - type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_runtime_t; - type dirmngr_conf_t, dirmngr_var_lib_t, dirmngr_log_t; - ') - - allow $1 dirmngr_t:process { ptrace signal_perms }; - ps_process_pattern($1, dirmngr_t) - - init_startstop_service($1, $2, dirmngr_t, dirmngr_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, dirmngr_conf_t) - - logging_search_logs($1) - admin_pattern($1, dirmngr_log_t) - - files_search_pids($1) - admin_pattern($1, dirmngr_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, dirmngr_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dirmngr_admin'($*)) dnl - ') - -## RADIUS authentication and accounting server. - -######################################## -## -## All of the rules required to -## administrate an radius environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`radius_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `radius_admin'($*)) dnl - - gen_require(` - type radiusd_t, radiusd_etc_t, radiusd_log_t; - type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_runtime_t; - type radiusd_initrc_exec_t; - ') - - allow $1 radiusd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radiusd_t) - - init_startstop_service($1, $2, radiusd_t, radiusd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t }) - - logging_list_logs($1) - admin_pattern($1, radiusd_log_t) - - files_list_var_lib($1) - admin_pattern($1, radiusd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, radiusd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `radius_admin'($*)) dnl - ') - -## Various web servers. - -######################################## -## -## Create a set of derived types for -## httpd web content. -## -## -## -## The prefix to be used for deriving type names. -## -## -# - define(`apache_content_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_content_template'($*)) dnl - - gen_require(` - attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; - attribute httpd_ro_content, httpd_rw_content, httpd_ra_content; - type httpd_t, httpd_suexec_t; - ') - - ######################################## - # - # Declarations - # - - ## - ##

- ## Determine whether the script domain can - ## modify public files used for public file - ## transfer services. Directories/Files must - ## be labeled public_content_rw_t. - ##

- ## - gen_tunable(allow_httpd_$1_script_anon_write, false) - - type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable - files_type(httpd_$1_content_t) - - type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable; - files_type(httpd_$1_htaccess_t) - - type httpd_$1_script_t, httpd_script_domains; - domain_type(httpd_$1_script_t) - role system_r types httpd_$1_script_t; - - type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable; - corecmd_shell_entry_type(httpd_$1_script_t) - domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t) - - type httpd_$1_rw_content_t, httpdcontent, httpd_rw_content; # customizable - files_type(httpd_$1_rw_content_t) - - type httpd_$1_ra_content_t, httpdcontent, httpd_ra_content; # customizable - files_type(httpd_$1_ra_content_t) - - ######################################## - # - # Policy - # - - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) - - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; - - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; - - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) - - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) - ') - - tunable_policy(`httpd_enable_cgi',` - allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; - domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` - can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms; - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_content_template'($*)) dnl - ') - - -######################################## -## -## Role access for apache. -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role. -## -## -# - define(`apache_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_role'($*)) dnl - - gen_require(` - attribute httpdcontent; - type httpd_user_content_t, httpd_user_htaccess_t; - type httpd_user_script_t, httpd_user_script_exec_t; - type httpd_user_ra_content_t, httpd_user_rw_content_t; - ') - - role $1 types httpd_user_script_t; - - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; - - allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms }; - allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html") - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web") - userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www") - - filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess") - filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") - filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs") - - tunable_policy(`httpd_enable_cgi',` - domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($2, httpdcontent, httpd_user_script_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_role'($*)) dnl - ') - - -######################################## -## -## Read user httpd script executable files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_user_scripts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_user_scripts'($*)) dnl - - gen_require(` - type httpd_user_script_exec_t; - ') - - allow $1 httpd_user_script_exec_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) - read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_user_scripts'($*)) dnl - ') - - -######################################## -## -## Read user httpd content. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_user_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_user_content'($*)) dnl - - gen_require(` - type httpd_user_content_t; - ') - - allow $1 httpd_user_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) - read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_user_content'($*)) dnl - ') - - -######################################## -## -## Execute httpd with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apache_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_domtrans'($*)) dnl - - gen_require(` - type httpd_t, httpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_exec_t, httpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute httpd server in the httpd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apache_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_initrc_domtrans'($*)) dnl - - gen_require(` - type httpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_initrc_domtrans'($*)) dnl - ') - - -####################################### -## -## Send generic signals to httpd. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_signal'($*)) dnl - - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_signal'($*)) dnl - ') - - -######################################## -## -## Send null signals to httpd. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_signull'($*)) dnl - - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_signull'($*)) dnl - ') - - -######################################## -## -## Send child terminated signals to httpd. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_sigchld'($*)) dnl - - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_sigchld'($*)) dnl - ') - - -######################################## -## -## Inherit and use file descriptors -## from httpd. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_use_fds'($*)) dnl - - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write httpd unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`apache_dontaudit_rw_fifo_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_fifo_file'($*)) dnl - - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_fifo_file'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write httpd unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`apache_dontaudit_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_stream_sockets'($*)) dnl - - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write httpd unix domain -## stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_rw_stream_sockets'($*)) dnl - - gen_require(` - type httpd_t; - ') - - allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write httpd TCP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`apache_dontaudit_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_tcp_sockets'($*)) dnl - - gen_require(` - type httpd_t; - ') - - dontaudit $1 httpd_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Reload the httpd service (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`apache_reload',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_reload'($*)) dnl - - gen_require(` - type httpd_unit_t; - class service { reload status }; - ') - - allow $1 httpd_unit_t:service { reload status }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_reload'($*)) dnl - ') - - -######################################## -## -## Read all appendable content -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_all_ra_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_all_ra_content'($*)) dnl - - gen_require(` - attribute httpd_ra_content; - ') - - read_files_pattern($1, httpd_ra_content, httpd_ra_content) - read_lnk_files_pattern($1, httpd_ra_content, httpd_ra_content) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_all_ra_content'($*)) dnl - ') - - -######################################## -## -## Append to all appendable web content -## -## -## -## Domain allowed access. -## -## -# - define(`apache_append_all_ra_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_append_all_ra_content'($*)) dnl - - gen_require(` - attribute httpd_ra_content; - ') - - append_files_pattern($1, httpd_ra_content, httpd_ra_content) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_append_all_ra_content'($*)) dnl - ') - - -######################################## -## -## Read all read/write content -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_all_rw_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_all_rw_content'($*)) dnl - - gen_require(` - attribute httpd_rw_content; - ') - - read_files_pattern($1, httpd_rw_content, httpd_rw_content) - read_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_all_rw_content'($*)) dnl - ') - - -######################################## -## -## Manage all read/write content -## -## -## -## Domain allowed access. -## -## -# - define(`apache_manage_all_rw_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_manage_all_rw_content'($*)) dnl - - gen_require(` - attribute httpd_rw_content; - ') - - manage_dirs_pattern($1, httpd_rw_content, httpd_rw_content) - manage_files_pattern($1, httpd_rw_content, httpd_rw_content) - manage_lnk_files_pattern($1, httpd_rw_content, httpd_rw_content) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_manage_all_rw_content'($*)) dnl - ') - -######################################## -## -## Read all web content. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_all_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_all_content'($*)) dnl - - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - ') - - read_files_pattern($1, httpdcontent, httpdcontent) - read_lnk_files_pattern($1, httpdcontent, httpdcontent) - - read_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - read_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_all_content'($*)) dnl - ') - - -####################################### -## -## Search all apache content. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_search_all_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_search_all_content'($*)) dnl - - gen_require(` - attribute httpdcontent; - ') - - allow $1 httpdcontent:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_search_all_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## all httpd content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`apache_manage_all_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_manage_all_content'($*)) dnl - - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - ') - - manage_dirs_pattern($1, httpdcontent, httpdcontent) - manage_files_pattern($1, httpdcontent, httpdcontent) - manage_lnk_files_pattern($1, httpdcontent, httpdcontent) - - manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_manage_all_content'($*)) dnl - ') - - -######################################## -## -## Set attributes httpd cache directories. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_setattr_cache_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_setattr_cache_dirs'($*)) dnl - - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:dir setattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_setattr_cache_dirs'($*)) dnl - ') - - -######################################## -## -## List httpd cache directories. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_list_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_list_cache'($*)) dnl - - gen_require(` - type httpd_cache_t; - ') - - list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_list_cache'($*)) dnl - ') - - -######################################## -## -## Read and write httpd cache files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_rw_cache_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_rw_cache_files'($*)) dnl - - gen_require(` - type httpd_cache_t; - ') - - allow $1 httpd_cache_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_rw_cache_files'($*)) dnl - ') - - -######################################## -## -## Delete httpd cache directories. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_delete_cache_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_delete_cache_dirs'($*)) dnl - - gen_require(` - type httpd_cache_t; - ') - - delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_delete_cache_dirs'($*)) dnl - ') - - -######################################## -## -## Delete httpd cache files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_delete_cache_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_delete_cache_files'($*)) dnl - - gen_require(` - type httpd_cache_t; - ') - - delete_files_pattern($1, httpd_cache_t, httpd_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_delete_cache_files'($*)) dnl - ') - - -######################################## -## -## Read httpd configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`apache_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_config'($*)) dnl - - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir list_dir_perms; - read_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_config'($*)) dnl - ') - - -######################################## -## -## Search httpd configuration directories. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_search_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_search_config'($*)) dnl - - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - allow $1 httpd_config_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_search_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## httpd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_manage_config'($*)) dnl - - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, httpd_config_t, httpd_config_t) - manage_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_manage_config'($*)) dnl - ') - - -######################################## -## -## Execute the Apache helper program -## with a domain transition. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_domtrans_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_domtrans_helper'($*)) dnl - - gen_require(` - type httpd_helper_t, httpd_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_domtrans_helper'($*)) dnl - ') - - -######################################## -## -## Execute the Apache helper program with -## a domain transition, and allow the -## specified role the Apache helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`apache_run_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_run_helper'($*)) dnl - - gen_require(` - attribute_role httpd_helper_roles; - ') - - apache_domtrans_helper($1) - roleattribute $2 httpd_helper_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_run_helper'($*)) dnl - ') - - -######################################## -## -## Read httpd log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`apache_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_log'($*)) dnl - - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - read_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_log'($*)) dnl - ') - - -######################################## -## -## Append httpd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_append_log'($*)) dnl - - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - allow $1 httpd_log_t:dir list_dir_perms; - append_files_pattern($1, httpd_log_t, httpd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_append_log'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to append -## httpd log files. -## -## -## -## Domain to not audit. -## -## -# - define(`apache_dontaudit_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_dontaudit_append_log'($*)) dnl - - gen_require(` - type httpd_log_t; - ') - - dontaudit $1 httpd_log_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_dontaudit_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## httpd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_manage_log'($*)) dnl - - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, httpd_log_t, httpd_log_t) - manage_files_pattern($1, httpd_log_t, httpd_log_t) - read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_manage_log'($*)) dnl - ') - - -####################################### -## -## Write apache log files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_write_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_write_log'($*)) dnl - - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) - write_files_pattern($1, httpd_log_t, httpd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_write_log'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## httpd module directories. -## -## -## -## Domain to not audit. -## -## -# - define(`apache_dontaudit_search_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_dontaudit_search_modules'($*)) dnl - - gen_require(` - type httpd_modules_t; - ') - - dontaudit $1 httpd_modules_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_dontaudit_search_modules'($*)) dnl - ') - - -######################################## -## -## List httpd module directories. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_list_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_list_modules'($*)) dnl - - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_list_modules'($*)) dnl - ') - - -######################################## -## -## Execute httpd module files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_exec_modules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_exec_modules'($*)) dnl - - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; - allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; - can_exec($1, httpd_modules_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_exec_modules'($*)) dnl - ') - - -######################################## -## -## Read httpd module files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_module_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_module_files'($*)) dnl - - gen_require(` - type httpd_modules_t; - ') - - libs_search_lib($1) - read_files_pattern($1, httpd_modules_t, httpd_modules_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_module_files'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run httpd_rotatelogs. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apache_domtrans_rotatelogs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_domtrans_rotatelogs'($*)) dnl - - gen_require(` - type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_domtrans_rotatelogs'($*)) dnl - ') - - -######################################## -## -## List httpd system content directories. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_list_sys_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_list_sys_content'($*)) dnl - - gen_require(` - type httpd_sys_content_t; - ') - - list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - files_search_var($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_list_sys_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## httpd system content files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`apache_manage_sys_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_manage_sys_content'($*)) dnl - - gen_require(` - type httpd_sys_content_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_manage_sys_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## httpd system rw content. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_manage_sys_rw_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_manage_sys_rw_content'($*)) dnl - - gen_require(` - type httpd_sys_rw_content_t; - ') - - apache_search_sys_content($1) - manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_manage_sys_rw_content'($*)) dnl - ') - - -######################################## -## -## Execute all httpd scripts in the -## system script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apache_domtrans_sys_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_domtrans_sys_script'($*)) dnl - - gen_require(` - attribute httpdcontent; - type httpd_sys_script_t; - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` - domtrans_pattern($1, httpdcontent, httpd_sys_script_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_domtrans_sys_script'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write httpd system script unix -## domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`apache_dontaudit_rw_sys_script_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_sys_script_stream_sockets'($*)) dnl - - gen_require(` - type httpd_sys_script_t; - ') - - dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_sys_script_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Execute all user scripts in the user -## script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`apache_domtrans_all_scripts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_domtrans_all_scripts'($*)) dnl - - gen_require(` - attribute httpd_exec_scripts; - ') - - typeattribute $1 httpd_exec_scripts; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_domtrans_all_scripts'($*)) dnl - ') - - -######################################## -## -## Execute all user scripts in the user -## script domain. Add user script domains -## to the specified role. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`apache_run_all_scripts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_run_all_scripts'($*)) dnl - - gen_require(` - attribute httpd_script_domains; - ') - - role $2 types httpd_script_domains; - apache_domtrans_all_scripts($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_run_all_scripts'($*)) dnl - ') - - -######################################## -## -## Read httpd squirrelmail data files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_squirrelmail_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_squirrelmail_data'($*)) dnl - - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_squirrelmail_data'($*)) dnl - ') - - -######################################## -## -## Append httpd squirrelmail data files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_append_squirrelmail_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_append_squirrelmail_data'($*)) dnl - - gen_require(` - type httpd_squirrelmail_t; - ') - - allow $1 httpd_squirrelmail_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_append_squirrelmail_data'($*)) dnl - ') - - -######################################## -## -## Search httpd system content. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_search_sys_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_search_sys_content'($*)) dnl - - gen_require(` - type httpd_sys_content_t; - ') - - files_search_var($1) - allow $1 httpd_sys_content_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_search_sys_content'($*)) dnl - ') - - -######################################## -## -## Read httpd system content. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_sys_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_sys_content'($*)) dnl - - gen_require(` - type httpd_sys_content_t; - ') - - allow $1 httpd_sys_content_t:dir list_dir_perms; - read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_sys_content'($*)) dnl - ') - - -######################################## -## -## Search httpd system CGI directories. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_search_sys_scripts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_search_sys_scripts'($*)) dnl - - gen_require(` - type httpd_sys_content_t, httpd_sys_script_exec_t; - ') - - search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_search_sys_scripts'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete all -## user httpd content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`apache_manage_all_user_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_manage_all_user_content'($*)) dnl - - gen_require(` - type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t; - type httpd_user_htaccess_t, httpd_user_script_exec_t; - ') - - manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }) - manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }) - manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_manage_all_user_content'($*)) dnl - ') - - -######################################## -## -## Search system script state directories. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_search_sys_script_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_search_sys_script_state'($*)) dnl - - gen_require(` - type httpd_sys_script_t; - ') - - allow $1 httpd_sys_script_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_search_sys_script_state'($*)) dnl - ') - - -######################################## -## -## Read httpd tmp files. -## -## -## -## Domain allowed access. -## -## -# - define(`apache_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_read_tmp_files'($*)) dnl - - gen_require(` - type httpd_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write -## httpd tmp files. -## -## -## -## Domain to not audit. -## -## -# - define(`apache_dontaudit_write_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_dontaudit_write_tmp_files'($*)) dnl - - gen_require(` - type httpd_tmp_t; - ') - - dontaudit $1 httpd_tmp_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_dontaudit_write_tmp_files'($*)) dnl - ') - - -######################################## -## -## Delete httpd_var_lib_t files -## -## -## -## Domain that can delete the files -## -## -# - define(`apache_delete_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_delete_lib_files'($*)) dnl - - gen_require(` - type httpd_var_lib_t; - ') - - files_search_var_lib($1) - delete_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_delete_lib_files'($*)) dnl - ') - - -######################################## -## -## Execute CGI in the specified domain. -## -## -##

-## This is an interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Domain run the cgi script in. -## -## -## -## -## Type of the executable to enter the cgi domain. -## -## -# - define(`apache_cgi_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_cgi_domain'($*)) dnl - - gen_require(` - type httpd_t; - ') - - domtrans_pattern(httpd_t, $2, $1) - apache_search_sys_scripts($1) - - allow httpd_t $1:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_cgi_domain'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an apache environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`apache_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `apache_admin'($*)) dnl - - gen_require(` - attribute httpdcontent, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; - type httpd_t, httpd_config_t, httpd_log_t; - type httpd_modules_t, httpd_lock_t, httpd_helper_t; - type httpd_runtime_t, httpd_passwd_t, httpd_suexec_t; - type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; - type httpd_initrc_exec_t, httpd_keytab_t; - ') - - allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; - allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) - ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }) - - init_startstop_service($1, $2, httpd_t, httpd_initrc_exec_t) - - apache_manage_all_content($1) - miscfiles_manage_public_files($1) - - files_search_etc($1) - admin_pattern($1, { httpd_keytab_t httpd_config_t }) - - logging_search_logs($1) - admin_pattern($1, httpd_log_t) - - admin_pattern($1, httpd_modules_t) - - admin_pattern($1, httpd_lock_t) - files_lock_filetrans($1, httpd_lock_t, file) - - admin_pattern($1, httpd_runtime_t) - files_pid_filetrans($1, httpd_runtime_t, file) - - admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) - admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) - - apache_run_all_scripts($1, $2) - apache_run_helper($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `apache_admin'($*)) dnl - ') - -## Cluster mirror log daemon. - -######################################## -## -## Execute a domain transition to -## run cmirrord. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cmirrord_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cmirrord_domtrans'($*)) dnl - - gen_require(` - type cmirrord_t, cmirrord_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cmirrord_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute cmirrord server in the -## cmirrord domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cmirrord_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cmirrord_initrc_domtrans'($*)) dnl - - gen_require(` - type cmirrord_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cmirrord_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read cmirrord PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`cmirrord_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cmirrord_read_pid_files'($*)) dnl - - gen_require(` - type cmirrord_runtime_t; - ') - - files_search_pids($1) - allow $1 cmirrord_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cmirrord_read_pid_files'($*)) dnl - ') - - -####################################### -## -## Read and write cmirrord shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`cmirrord_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cmirrord_rw_shm'($*)) dnl - - gen_require(` - type cmirrord_t, cmirrord_tmpfs_t; - ') - - allow $1 cmirrord_t:shm rw_shm_perms; - - allow $1 cmirrord_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cmirrord_rw_shm'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an cmirrord environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cmirrord_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cmirrord_admin'($*)) dnl - - gen_require(` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_runtime_t; - ') - - allow $1 cmirrord_t:process { ptrace signal_perms }; - ps_process_pattern($1, cmirrord_t) - - init_startstop_service($1, $2, cmirrord_t, cmirrord_initrc_exec_t) - - files_list_pids($1) - admin_pattern($1, cmirrord_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cmirrord_admin'($*)) dnl - ') - -## DBus fingerprint reader service. - -######################################## -## -## Execute a domain transition to run fprintd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`fprintd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fprintd_domtrans'($*)) dnl - - gen_require(` - type fprintd_t, fprintd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fprintd_exec_t, fprintd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fprintd_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## fprintd over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`fprintd_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fprintd_dbus_chat'($*)) dnl - - gen_require(` - type fprintd_t; - class dbus send_msg; - ') - - allow $1 fprintd_t:dbus send_msg; - allow fprintd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fprintd_dbus_chat'($*)) dnl - ') - -## Internet News NNTP server. - -######################################## -## -## Execute innd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`inn_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_exec'($*)) dnl - - gen_require(` - type innd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, innd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_exec'($*)) dnl - ') - - -######################################## -## -## Execute inn configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`inn_exec_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_exec_config'($*)) dnl - - gen_require(` - type innd_etc_t; - ') - - files_search_etc($1) - exec_files_pattern($1, innd_etc_t, innd_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_exec_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## innd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`inn_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_manage_log'($*)) dnl - - gen_require(` - type innd_log_t; - ') - - manage_files_pattern($1, innd_log_t, innd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_manage_log'($*)) dnl - ') - - -######################################## -## -## Create specified objects in generic -## log directories with the innd log file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`inn_generic_log_filetrans_innd_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_generic_log_filetrans_innd_log'($*)) dnl - - gen_require(` - type innd_log_t; - ') - - logging_log_filetrans($1, innd_log_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_generic_log_filetrans_innd_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## innd pid content. -## -## -## -## Domain allowed access. -## -## -# - define(`inn_manage_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_manage_pid'($*)) dnl - - gen_require(` - type innd_runtime_t; - ') - - files_search_pids($1) - allow $1 innd_runtime_t:dir manage_dir_perms; - allow $1 innd_runtime_t:file manage_file_perms; - allow $1 innd_runtime_t:sock_file manage_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_manage_pid'($*)) dnl - ') - - -######################################## -## -## Read innd configuration content. -## -## -## -## Domain allowed access. -## -## - -# - define(`inn_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_read_config'($*)) dnl - - gen_require(` - type innd_etc_t; - ') - - allow $1 innd_etc_t:dir list_dir_perms; - allow $1 innd_etc_t:file read_file_perms; - allow $1 innd_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_read_config'($*)) dnl - ') - - -######################################## -## -## Read innd news library content. -## -## -## -## Domain allowed access. -## -## -# - define(`inn_read_news_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_read_news_lib'($*)) dnl - - gen_require(` - type innd_var_lib_t; - ') - - allow $1 innd_var_lib_t:dir list_dir_perms; - allow $1 innd_var_lib_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_read_news_lib'($*)) dnl - ') - - -######################################## -## -## Read innd news spool content. -## -## -## -## Domain allowed access. -## -## -# - define(`inn_read_news_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_read_news_spool'($*)) dnl - - gen_require(` - type news_spool_t; - ') - - allow $1 news_spool_t:dir list_dir_perms; - allow $1 news_spool_t:file read_file_perms; - allow $1 news_spool_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_read_news_spool'($*)) dnl - ') - - -######################################## -## -## Send to a innd unix dgram socket. -## -## -## -## Domain allowed access. -## -## -# - define(`inn_dgram_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_dgram_send'($*)) dnl - - gen_require(` - type innd_t, innd_runtime_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, innd_runtime_t, innd_runtime_t, innd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_dgram_send'($*)) dnl - ') - - -######################################## -## -## Execute innd in the innd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`inn_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_domtrans'($*)) dnl - - gen_require(` - type innd_t, innd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, innd_exec_t, innd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an inn environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`inn_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inn_admin'($*)) dnl - - gen_require(` - type innd_t, innd_etc_t, innd_log_t; - type news_spool_t, innd_var_lib_t; - type innd_runtime_t, innd_initrc_exec_t; - ') - - init_startstop_service($1, $2, innd_t, innd_initrc_exec_t) - - allow $1 innd_t:process { ptrace signal_perms }; - ps_process_pattern($1, innd_t) - - files_list_etc($1) - admin_pattern($1, innd_etc_t) - - logging_list_logs($1) - admin_pattern($1, innd_log_t) - - files_list_var_lib($1) - admin_pattern($1, innd_var_lib_t) - - files_list_pids($1) - admin_pattern($1, innd_runtime_t) - - files_list_spool($1) - admin_pattern($1, news_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inn_admin'($*)) dnl - ') - -## A network traffic probe similar to the UNIX top command. - -######################################## -## -## All of the rules required to -## administrate an ntop environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ntop_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntop_admin'($*)) dnl - - gen_require(` - type ntop_t, ntop_etc_t, ntop_runtime_t; - type ntop_initrc_exec_t, ntop_var_lib_t; - ') - - allow $1 ntop_t:process { ptrace signal_perms }; - ps_process_pattern($1, ntop_t) - - init_startstop_service($1, $2, ntop_t, ntop_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, ntop_etc_t) - - files_search_var_lib($1) - admin_pattern($1, ntop_var_lib_t) - - files_list_pids($1) - admin_pattern($1, ntop_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntop_admin'($*)) dnl - ') - -## Gnome clock handler for setting the time. - -######################################## -## -## Execute a domain transition to -## run gnomeclock. -## -## -## -## Domain allowed to transition. -## -## -# - define(`gnomeclock_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnomeclock_domtrans'($*)) dnl - - gen_require(` - type gnomeclock_t, gnomeclock_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnomeclock_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute gnomeclock in the gnomeclock -## domain, and allow the specified -## role the gnomeclock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`gnomeclock_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnomeclock_run'($*)) dnl - - gen_require(` - attribute_role gnomeclock_roles; - ') - - gnomeclock_domtrans($1) - roleattribute $2 gnomeclock_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnomeclock_run'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## gnomeclock over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`gnomeclock_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnomeclock_dbus_chat'($*)) dnl - - gen_require(` - type gnomeclock_t; - class dbus send_msg; - ') - - allow $1 gnomeclock_t:dbus send_msg; - allow gnomeclock_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnomeclock_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send and -## receive messages from gnomeclock -## over dbus. -## -## -## -## Domain to not audit. -## -## -# - define(`gnomeclock_dontaudit_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gnomeclock_dontaudit_dbus_chat'($*)) dnl - - gen_require(` - type gnomeclock_t; - class dbus send_msg; - ') - - dontaudit $1 gnomeclock_t:dbus send_msg; - dontaudit gnomeclock_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gnomeclock_dontaudit_dbus_chat'($*)) dnl - ') - -## Monit - utility for monitoring services on a Unix system. - -######################################## -## -## Execute a domain transition to run monit cli. -## -## -## -## Domain allowed to transition. -## -## -# - define(`monit_domtrans_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `monit_domtrans_cli'($*)) dnl - - gen_require(` - type monit_cli_t, monit_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, monit_exec_t, monit_cli_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `monit_domtrans_cli'($*)) dnl - ') - - -######################################## -## -## Execute monit in the monit cli domain, -## and allow the specified role -## the monit cli domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`monit_run_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `monit_run_cli'($*)) dnl - - gen_require(` - attribute_role monit_cli_roles; - ') - - monit_domtrans_cli($1) - roleattribute $2 monit_cli_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `monit_run_cli'($*)) dnl - ') - - -######################################## -## -## Reload the monit daemon. -## -## -## -## Domain allowed access. -## -## -# - define(`monit_reload',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `monit_reload'($*)) dnl - - gen_require(` - class service { reload status }; - type monit_initrc_exec_t, monit_unit_t; - ') - - allow $1 { monit_initrc_exec_t monit_unit_t }:service { reload status }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `monit_reload'($*)) dnl - ') - - -######################################## -## -## Start and stop the monit daemon. -## -## -## -## Domain allowed access. -## -## -# - define(`monit_startstop_service',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `monit_startstop_service'($*)) dnl - - gen_require(` - class service { start status stop }; - type monit_initrc_exec_t, monit_unit_t; - ') - - allow $1 { monit_initrc_exec_t monit_unit_t }:service { start status stop }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `monit_startstop_service'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an monit environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# - define(`monit_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `monit_admin'($*)) dnl - - gen_require(` - type monit_t, monit_conf_t, monit_initrc_exec_t; - type monit_log_t, monit_runtime_t; - type monit_unit_t, monit_var_lib_t; - ') - - admin_process_pattern($1, monit_t) - - init_startstop_service($1, $2, monit_t, monit_initrc_exec_t, monit_unit_t) - - files_search_etc($1) - admin_pattern($1, monit_conf_t) - - logging_search_logs($1) - admin_pattern($1, monit_log_t) - - files_search_pids($1) - admin_pattern($1, monit_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, monit_var_lib_t) - - monit_run_cli($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `monit_admin'($*)) dnl - ') - -## Advanced key-value store. - -######################################## -## -## All of the rules required to -## administrate an redis environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`redis_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `redis_admin'($*)) dnl - - gen_require(` - type redis_t, redis_initrc_exec_t, redis_var_lib_t; - type redis_log_t, redis_runtime_t, redis_conf_t; - ') - - allow $1 redis_t:process { ptrace signal_perms }; - ps_process_pattern($1, redis_t) - - init_startstop_service($1, $2, redis_t, redis_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, redis_conf_t) - - logging_search_logs($1) - admin_pattern($1, redis_log_t) - - files_search_var_lib($1) - admin_pattern($1, redis_var_lib_t) - - files_search_pids($1) - admin_pattern($1, redis_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `redis_admin'($*)) dnl - ') - -## Remote certificate distribution framework. - -######################################## -## -## Execute a domain transition to run certmaster. -## -## -## -## Domain allowed to transition. -## -## -# - define(`certmaster_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmaster_domtrans'($*)) dnl - - gen_require(` - type certmaster_t, certmaster_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, certmaster_exec_t, certmaster_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmaster_domtrans'($*)) dnl - ') - - -#################################### -## -## Execute certmaster in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`certmaster_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmaster_exec'($*)) dnl - - gen_require(` - type certmaster_exec_t; - ') - - can_exec($1, certmaster_exec_t) - corecmd_search_bin($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmaster_exec'($*)) dnl - ') - - -####################################### -## -## read certmaster logs. -## -## -## -## Domain allowed access. -## -## -# - define(`certmaster_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmaster_read_log'($*)) dnl - - gen_require(` - type certmaster_var_log_t; - ') - - read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmaster_read_log'($*)) dnl - ') - - -####################################### -## -## Append certmaster log files. -## -## -## -## Domain allowed access. -## -## -# - define(`certmaster_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmaster_append_log'($*)) dnl - - gen_require(` - type certmaster_var_log_t; - ') - - append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmaster_append_log'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## certmaster log content. -## -## -## -## Domain allowed access. -## -## -# - define(`certmaster_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmaster_manage_log'($*)) dnl - - gen_require(` - type certmaster_var_log_t; - ') - - manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmaster_manage_log'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an certmaster environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`certmaster_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmaster_admin'($*)) dnl - - gen_require(` - type certmaster_t, certmaster_runtime_t, certmaster_var_lib_t; - type certmaster_etc_rw_t, certmaster_var_log_t; - type certmaster_initrc_exec_t; - ') - - allow $1 certmaster_t:process { ptrace signal_perms }; - ps_process_pattern($1, certmaster_t) - - init_startstop_service($1, $2, certmaster_t, certmaster_initrc_exec_t) - - files_list_etc($1) - miscfiles_manage_generic_cert_dirs($1) - miscfiles_manage_generic_cert_files($1) - - admin_pattern($1, certmaster_etc_rw_t) - - files_list_pids($1) - admin_pattern($1, certmaster_runtime_t) - - logging_list_logs($1) - admin_pattern($1, certmaster_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, certmaster_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmaster_admin'($*)) dnl - ') - -## Who is logged in on other machines? - -######################################## -## -## Execute a domain transition to run rwho. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rwho_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rwho_domtrans'($*)) dnl - - gen_require(` - type rwho_t, rwho_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rwho_exec_t, rwho_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rwho_domtrans'($*)) dnl - ') - - -######################################## -## -## Search rwho log directories. -## -## -## -## Domain allowed access. -## -## -# - define(`rwho_search_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rwho_search_log'($*)) dnl - - gen_require(` - type rwho_log_t; - ') - - logging_search_logs($1) - allow $1 rwho_log_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rwho_search_log'($*)) dnl - ') - - -######################################## -## -## Read rwho log files. -## -## -## -## Domain allowed access. -## -## -# - define(`rwho_read_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rwho_read_log_files'($*)) dnl - - gen_require(` - type rwho_log_t; - ') - - logging_search_logs($1) - allow $1 rwho_log_t:dir list_dir_perms; - allow $1 rwho_log_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rwho_read_log_files'($*)) dnl - ') - - -######################################## -## -## Search rwho spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`rwho_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rwho_search_spool'($*)) dnl - - gen_require(` - type rwho_spool_t; - ') - - files_search_spool($1) - allow $1 rwho_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rwho_search_spool'($*)) dnl - ') - - -######################################## -## -## Read rwho spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`rwho_read_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rwho_read_spool_files'($*)) dnl - - gen_require(` - type rwho_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, rwho_spool_t, rwho_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rwho_read_spool_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rwho spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`rwho_manage_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rwho_manage_spool_files'($*)) dnl - - gen_require(` - type rwho_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, rwho_spool_t, rwho_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rwho_manage_spool_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rwho environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rwho_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rwho_admin'($*)) dnl - - gen_require(` - type rwho_t, rwho_log_t, rwho_spool_t; - type rwho_initrc_exec_t; - ') - - allow $1 rwho_t:process { ptrace signal_perms }; - ps_process_pattern($1, rwho_t) - - init_startstop_service($1, $2, rwho_t, rwho_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, rwho_log_t) - - files_list_spool($1) - admin_pattern($1, rwho_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rwho_admin'($*)) dnl - ') - -## DNS forwarder and DHCP server. - -######################################## -## -## Execute dnsmasq server in the dnsmasq domain. -## -## -## -## Domain allowed to transition. -## -## -# -# - define(`dnsmasq_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_domtrans'($*)) dnl - - gen_require(` - type dnsmasq_exec_t, dnsmasq_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the dnsmasq init script in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# -# - define(`dnsmasq_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_initrc_domtrans'($*)) dnl - - gen_require(` - type dnsmasq_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Send generic signals to dnsmasq. -## -## -## -## Domain allowed access. -## -## -# -# - define(`dnsmasq_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_signal'($*)) dnl - - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_signal'($*)) dnl - ') - - -######################################## -## -## Send null signals to dnsmasq. -## -## -## -## Domain allowed access. -## -## -# -# - define(`dnsmasq_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_signull'($*)) dnl - - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_signull'($*)) dnl - ') - - -######################################## -## -## Send kill signals to dnsmasq. -## -## -## -## Domain allowed access. -## -## -# -# - define(`dnsmasq_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_kill'($*)) dnl - - gen_require(` - type dnsmasq_t; - ') - - allow $1 dnsmasq_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_kill'($*)) dnl - ') - - -######################################## -## -## Read dnsmasq config files. -## -## -## -## Domain allowed access. -## -## -# - define(`dnsmasq_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_read_config'($*)) dnl - - gen_require(` - type dnsmasq_etc_t; - ') - - read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_read_config'($*)) dnl - ') - - -######################################## -## -## Write dnsmasq config files. -## -## -## -## Domain allowed access. -## -## -# - define(`dnsmasq_write_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_write_config'($*)) dnl - - gen_require(` - type dnsmasq_etc_t; - ') - - write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) - files_search_etc($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_write_config'($*)) dnl - ') - - -######################################## -## -## Delete dnsmasq pid files. -## -## -## -## Domain allowed access. -## -## -# -# - define(`dnsmasq_delete_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_delete_pid_files'($*)) dnl - - gen_require(` - type dnsmasq_runtime_t; - ') - - delete_files_pattern($1, dnsmasq_runtime_t, dnsmasq_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_delete_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## dnsmasq pid files -## -## -## -## Domain allowed access. -## -## -# - define(`dnsmasq_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_manage_pid_files'($*)) dnl - - gen_require(` - type dnsmasq_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, dnsmasq_runtime_t, dnsmasq_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Read dnsmasq pid files. -## -## -## -## Domain allowed access. -## -## -# -# - define(`dnsmasq_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_read_pid_files'($*)) dnl - - gen_require(` - type dnsmasq_runtime_t; - ') - - read_files_pattern($1, dnsmasq_runtime_t, dnsmasq_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create dnsmasq pid directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dnsmasq_create_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_create_pid_dirs'($*)) dnl - - gen_require(` - type dnsmasq_runtime_t; - ') - - files_search_pids($1) - allow $1 dnsmasq_runtime_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_create_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Create specified objects in specified -## directories with a type transition to -## the dnsmasq pid file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Directory to transition on. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`dnsmasq_spec_filetrans_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_spec_filetrans_pid'($*)) dnl - - gen_require(` - type dnsmasq_runtime_t; - ') - - filetrans_pattern($1, $2, dnsmasq_runtime_t, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_spec_filetrans_pid'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an dnsmasq environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dnsmasq_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dnsmasq_admin'($*)) dnl - - gen_require(` - type dnsmasq_t, dnsmasq_lease_t, dnsmasq_runtime_t; - type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; - ') - - allow $1 dnsmasq_t:process { ptrace signal_perms }; - ps_process_pattern($1, dnsmasq_t) - - init_startstop_service($1, $2, dnsmasq_t, dnsmasq_initrc_exec_t) - - files_list_var_lib($1) - admin_pattern($1, dnsmasq_lease_t) - - logging_search_logs($1) - admin_pattern($1, dnsmasq_var_log_t) - - files_list_pids($1) - admin_pattern($1, dnsmasq_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dnsmasq_admin'($*)) dnl - ') - -## Clustered Mirror Log Server. - -###################################### -## -## Execute a domain transition to run clogd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`clogd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clogd_domtrans'($*)) dnl - - gen_require(` - type clogd_t, clogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clogd_exec_t, clogd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clogd_domtrans'($*)) dnl - ') - - -##################################### -## -## Read and write clogd semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`clogd_rw_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clogd_rw_semaphores'($*)) dnl - - gen_require(` - type clogd_t; - ') - - allow $1 clogd_t:sem rw_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clogd_rw_semaphores'($*)) dnl - ') - - -######################################## -## -## Read and write clogd shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`clogd_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clogd_rw_shm'($*)) dnl - - gen_require(` - type clogd_t, clogd_tmpfs_t; - ') - - allow $1 clogd_t:shm rw_shm_perms; - allow $1 clogd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clogd_rw_shm'($*)) dnl - ') - -## Clock speed measurement and manipulation. - -######################################## -## -## Execute clockspeed utilities in -## the clockspeed_cli domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`clockspeed_domtrans_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clockspeed_domtrans_cli'($*)) dnl - - gen_require(` - type clockspeed_cli_t, clockspeed_cli_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clockspeed_domtrans_cli'($*)) dnl - ') - - -######################################## -## -## Execute clockspeed utilities in the -## clockspeed cli domain, and allow the -## specified role the clockspeed cli domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`clockspeed_run_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clockspeed_run_cli'($*)) dnl - - gen_require(` - attribute_role clockspeed_cli_roles; - ') - - clockspeed_domtrans_cli($1) - roleattribute $2 clockspeed_cli_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clockspeed_run_cli'($*)) dnl - ') - -## Filesystem automounter service. - -######################################## -## -## Execute automount in the automount domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`automount_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `automount_domtrans'($*)) dnl - - gen_require(` - type automount_t, automount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, automount_exec_t, automount_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `automount_domtrans'($*)) dnl - ') - - -######################################## -## -## Send generic signals to automount. -## -## -## -## Domain allowed access. -## -## -# -# - define(`automount_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `automount_signal'($*)) dnl - - gen_require(` - type automount_t; - ') - - allow $1 automount_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `automount_signal'($*)) dnl - ') - - -######################################## -## -## Read automount process state. -## -## -## -## Domain to allow access. -## -## -# - define(`automount_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `automount_read_state'($*)) dnl - - gen_require(` - type automount_t; - ') - - kernel_search_proc($1) - allow $1 automount_t:dir list_dir_perms; - read_files_pattern($1, automount_t, automount_t) - read_lnk_files_pattern($1, automount_t, automount_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `automount_read_state'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use -## automount file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`automount_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `automount_dontaudit_use_fds'($*)) dnl - - gen_require(` - type automount_t; - ') - - dontaudit $1 automount_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `automount_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write -## automount unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`automount_dontaudit_write_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `automount_dontaudit_write_pipes'($*)) dnl - - gen_require(` - type automount_t; - ') - - dontaudit $1 automount_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `automount_dontaudit_write_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get -## attributes of automount temporary -## directories. -## -## -## -## Domain to not audit. -## -## -# - define(`automount_dontaudit_getattr_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `automount_dontaudit_getattr_tmp_dirs'($*)) dnl - - gen_require(` - type automount_tmp_t; - ') - - dontaudit $1 automount_tmp_t:dir getattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `automount_dontaudit_getattr_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an automount environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`automount_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `automount_admin'($*)) dnl - - gen_require(` - type automount_t, automount_lock_t, automount_tmp_t; - type automount_runtime_t, automount_initrc_exec_t; - type automount_keytab_t; - ') - - allow $1 automount_t:process { ptrace signal_perms }; - ps_process_pattern($1, automount_t) - - init_startstop_service($1, $2, automount_t, automount_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, automount_keytab_t) - - files_list_var($1) - admin_pattern($1, automount_lock_t) - - files_list_tmp($1) - admin_pattern($1, automount_tmp_t) - - files_list_pids($1) - admin_pattern($1, automount_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `automount_admin'($*)) dnl - ') - -## Distributed checksum clearinghouse spam filtering. - -######################################## -## -## Execute cdcc in the cdcc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dcc_domtrans_cdcc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dcc_domtrans_cdcc'($*)) dnl - - gen_require(` - type cdcc_t, cdcc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cdcc_exec_t, cdcc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dcc_domtrans_cdcc'($*)) dnl - ') - - -######################################## -## -## Execute cdcc in the cdcc domain, and -## allow the specified role the -## cdcc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dcc_run_cdcc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dcc_run_cdcc'($*)) dnl - - gen_require(` - attribute_role cdcc_roles; - ') - - dcc_domtrans_cdcc($1) - roleattribute $2 cdcc_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dcc_run_cdcc'($*)) dnl - ') - - -######################################## -## -## Execute dcc client in the dcc -## client domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dcc_domtrans_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dcc_domtrans_client'($*)) dnl - - gen_require(` - type dcc_client_t, dcc_client_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dcc_client_exec_t, dcc_client_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dcc_domtrans_client'($*)) dnl - ') - - -######################################## -## -## Send generic signals to dcc client. -## -## -## -## Domain allowed access. -## -## -# - define(`dcc_signal_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dcc_signal_client'($*)) dnl - - gen_require(` - type dcc_client_t; - ') - - allow $1 dcc_client_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dcc_signal_client'($*)) dnl - ') - - -######################################## -## -## Execute dcc client in the dcc -## client domain, and allow the -## specified role the dcc client domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dcc_run_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dcc_run_client'($*)) dnl - - gen_require(` - attribute_role dcc_client_roles; - ') - - dcc_domtrans_client($1) - roleattribute $2 dcc_client_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dcc_run_client'($*)) dnl - ') - - -######################################## -## -## Execute dbclean in the dcc dbclean domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dcc_domtrans_dbclean',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dcc_domtrans_dbclean'($*)) dnl - - gen_require(` - type dcc_dbclean_t, dcc_dbclean_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dcc_domtrans_dbclean'($*)) dnl - ') - - -######################################## -## -## Execute dbclean in the dcc dbclean -## domain, and allow the specified -## role the dcc dbclean domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dcc_run_dbclean',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dcc_run_dbclean'($*)) dnl - - gen_require(` - attribute_role dcc_dbclean_roles; - ') - - dcc_domtrans_dbclean($1) - roleattribute $2 dcc_dbclean_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dcc_run_dbclean'($*)) dnl - ') - - -######################################## -## -## Connect to dccifd over a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`dcc_stream_connect_dccifd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dcc_stream_connect_dccifd'($*)) dnl - - gen_require(` - type dcc_var_t, dccifd_runtime_t, dccifd_t; - ') - - files_search_var($1) - stream_connect_pattern($1, dcc_var_t, dccifd_runtime_t, dccifd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dcc_stream_connect_dccifd'($*)) dnl - ') - -## mDNS/DNS-SD daemon implementing Apple ZeroConf architecture. - -######################################## -## -## Execute avahi server in the avahi domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`avahi_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_domtrans'($*)) dnl - - gen_require(` - type avahi_exec_t, avahi_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, avahi_exec_t, avahi_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute avahi init scripts in the -## init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`avahi_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_initrc_domtrans'($*)) dnl - - gen_require(` - type avahi_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, avahi_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Send generic signals to avahi. -## -## -## -## Domain allowed access. -## -## -# - define(`avahi_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_signal'($*)) dnl - - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_signal'($*)) dnl - ') - - -######################################## -## -## Send kill signals to avahi. -## -## -## -## Domain allowed access. -## -## -# - define(`avahi_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_kill'($*)) dnl - - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_kill'($*)) dnl - ') - - -######################################## -## -## Send null signals to avahi. -## -## -## -## Domain allowed access. -## -## -# - define(`avahi_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_signull'($*)) dnl - - gen_require(` - type avahi_t; - ') - - allow $1 avahi_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_signull'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## avahi over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`avahi_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_dbus_chat'($*)) dnl - - gen_require(` - type avahi_t; - class dbus send_msg; - ') - - allow $1 avahi_t:dbus send_msg; - allow avahi_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Connect to avahi using a unix -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`avahi_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_stream_connect'($*)) dnl - - gen_require(` - type avahi_t, avahi_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, avahi_runtime_t, avahi_runtime_t, avahi_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_stream_connect'($*)) dnl - ') - - -######################################## -## -## Create avahi pid directories. -## -## -## -## Domain allowed access. -## -## -# - define(`avahi_create_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_create_pid_dirs'($*)) dnl - - gen_require(` - type avahi_runtime_t; - ') - - files_search_pids($1) - allow $1 avahi_runtime_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_create_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Set attributes of avahi pid directories. -## -## -## -## Domain allowed access. -## -## -# - define(`avahi_setattr_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_setattr_pid_dirs'($*)) dnl - - gen_require(` - type avahi_runtime_t; - ') - - files_search_pids($1) - allow $1 avahi_runtime_t:dir setattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_setattr_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, and write avahi pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`avahi_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_manage_pid_files'($*)) dnl - - gen_require(` - type avahi_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, avahi_runtime_t, avahi_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## avahi pid directories. -## -## -## -## Domain to not audit. -## -## -# - define(`avahi_dontaudit_search_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_dontaudit_search_pid'($*)) dnl - - gen_require(` - type avahi_runtime_t; - ') - - dontaudit $1 avahi_runtime_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_dontaudit_search_pid'($*)) dnl - ') - - -######################################## -## -## Create specified objects in generic -## pid directories with the avahi pid file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`avahi_filetrans_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_filetrans_pid'($*)) dnl - - gen_require(` - type avahi_runtime_t; - ') - - files_pid_filetrans($1, avahi_runtime_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_filetrans_pid'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an avahi environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`avahi_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `avahi_admin'($*)) dnl - - gen_require(` - type avahi_t, avahi_runtime_t, avahi_initrc_exec_t; - type avahi_var_lib_t; - ') - - allow $1 avahi_t:process { ptrace signal_perms }; - ps_process_pattern($1, avahi_t) - - init_startstop_service($1, $2, avahi_t, avahi_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, avahi_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, avahi_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `avahi_admin'($*)) dnl - ') - -## Alcatel speedtouch USB ADSL modem -## Control Group manager daemon. - -######################################## -## -## Connect to cgmanager with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`cgmanager_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cgmanager_stream_connect'($*)) dnl - - gen_require(` - type cgmanager_t, cgmanager_cgroup_t; - ') - - fs_search_cgroup_dirs($1) - list_dirs_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t) - stream_connect_pattern($1, cgmanager_cgroup_t, cgmanager_cgroup_t, cgmanager_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cgmanager_stream_connect'($*)) dnl - ') - -## Dante msproxy and socks4/5 proxy server. - -######################################## -## -## All of the rules required to -## administrate an dante environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dante_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dante_admin'($*)) dnl - - gen_require(` - type dante_t, dante_conf_t, dante_runtime_t; - type dante_initrc_exec_t; - ') - - allow $1 dante_t:process { ptrace signal_perms }; - ps_process_pattern($1, dante_t) - - init_startstop_service($1, $2, dante_t, dante_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, dante_conf_t) - - files_search_pids($1) - admin_pattern($1, dante_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dante_admin'($*)) dnl - ') - -## Name service cache daemon. - -######################################## -## -## Send generic signals to nscd. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_signal'($*)) dnl - - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_signal'($*)) dnl - ') - - -######################################## -## -## Send kill signals to nscd. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_kill'($*)) dnl - - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_kill'($*)) dnl - ') - - -######################################## -## -## Send null signals to nscd. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_signull'($*)) dnl - - gen_require(` - type nscd_t; - ') - - allow $1 nscd_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_signull'($*)) dnl - ') - - -######################################## -## -## Execute nscd in the nscd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nscd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_domtrans'($*)) dnl - - gen_require(` - type nscd_t, nscd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nscd_exec_t, nscd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute nscd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_exec'($*)) dnl - - gen_require(` - type nscd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, nscd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_exec'($*)) dnl - ') - - -######################################## -## -## Use nscd services by connecting using -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_socket_use',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_socket_use'($*)) dnl - - gen_require(` - type nscd_t, nscd_runtime_t; - class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; - ') - - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; - - dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - - files_search_pids($1) - stream_connect_pattern($1, nscd_runtime_t, nscd_runtime_t, nscd_t) - dontaudit $1 nscd_runtime_t:file read_file_perms; - - ps_process_pattern(nscd_t, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_socket_use'($*)) dnl - ') - - -######################################## -## -## Use nscd services by mapping the -## database from an inherited nscd -## file descriptor. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_shm_use',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_shm_use'($*)) dnl - - gen_require(` - type nscd_t, nscd_runtime_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - ') - - allow $1 self:unix_stream_socket create_stream_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - allow $1 nscd_t:fd use; - - files_search_pids($1) - stream_connect_pattern($1, nscd_runtime_t, nscd_runtime_t, nscd_t) - dontaudit $1 nscd_runtime_t:file read_file_perms; - - allow $1 nscd_runtime_t:dir list_dir_perms; - allow $1 nscd_runtime_t:sock_file read_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_shm_use'($*)) dnl - ') - - -######################################## -## -## Use nscd services. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_use',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_use'($*)) dnl - - tunable_policy(`nscd_use_shm',` - nscd_shm_use($1) - ',` - nscd_socket_use($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_use'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## nscd pid directories. -## -## -## -## Domain to not audit. -## -## -# - define(`nscd_dontaudit_search_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_dontaudit_search_pid'($*)) dnl - - gen_require(` - type nscd_runtime_t; - ') - - dontaudit $1 nscd_runtime_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_dontaudit_search_pid'($*)) dnl - ') - - -######################################## -## -## Read nscd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_read_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_read_pid'($*)) dnl - - gen_require(` - type nscd_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, nscd_runtime_t, nscd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_read_pid'($*)) dnl - ') - - -######################################## -## -## Unconfined access to nscd services. -## -## -## -## Domain allowed access. -## -## -# - define(`nscd_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_unconfined'($*)) dnl - - gen_require(` - type nscd_t; - class nscd all_nscd_perms; - ') - - allow $1 nscd_t:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_unconfined'($*)) dnl - ') - - -######################################## -## -## Execute nscd in the nscd domain, and -## allow the specified role the nscd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`nscd_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_run'($*)) dnl - - gen_require(` - attribute_role nscd_roles; - ') - - nscd_domtrans($1) - roleattribute $2 nscd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_run'($*)) dnl - ') - - -######################################## -## -## Execute the nscd server init -## script in the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nscd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_initrc_domtrans'($*)) dnl - - gen_require(` - type nscd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an nscd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`nscd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nscd_admin'($*)) dnl - - gen_require(` - type nscd_t, nscd_log_t, nscd_runtime_t; - type nscd_initrc_exec_t; - ') - - allow $1 nscd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nscd_t) - - init_startstop_service($1, $2, nscd_t, nscd_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, nscd_log_t) - - files_list_pids($1) - admin_pattern($1, nscd_runtime_t) - - nscd_run($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nscd_admin'($*)) dnl - ') - -## AccountsService and daemon for manipulating user account information via D-Bus. - -######################################## -## -## Execute a domain transition to -## run accountsd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`accountsd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `accountsd_domtrans'($*)) dnl - - gen_require(` - type accountsd_t, accountsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, accountsd_exec_t, accountsd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `accountsd_domtrans'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write Accounts Daemon fifo files. -## -## -## -## Domain to not audit. -## -## -# - define(`accountsd_dontaudit_rw_fifo_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `accountsd_dontaudit_rw_fifo_file'($*)) dnl - - gen_require(` - type accountsd_t; - ') - - dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `accountsd_dontaudit_rw_fifo_file'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## accountsd over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`accountsd_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `accountsd_dbus_chat'($*)) dnl - - gen_require(` - type accountsd_t; - class dbus send_msg; - ') - - allow $1 accountsd_t:dbus send_msg; - allow accountsd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `accountsd_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Search accountsd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`accountsd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `accountsd_search_lib'($*)) dnl - - gen_require(` - type accountsd_var_lib_t; - ') - - allow $1 accountsd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `accountsd_search_lib'($*)) dnl - ') - - -######################################## -## -## Read accountsd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`accountsd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `accountsd_read_lib_files'($*)) dnl - - gen_require(` - type accountsd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 accountsd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `accountsd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## accountsd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`accountsd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `accountsd_manage_lib_files'($*)) dnl - - gen_require(` - type accountsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `accountsd_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an accountsd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`accountsd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `accountsd_admin'($*)) dnl - - gen_require(` - type accountsd_t; - ') - - allow $1 accountsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, accountsd_t) - - accountsd_manage_lib_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `accountsd_admin'($*)) dnl - ') - -## Jabber instant messaging servers. - -####################################### -## -## The template to define a jabber domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`jabber_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `jabber_domain_template'($*)) dnl - - gen_require(` - attribute jabberd_domain; - ') - - type $1_t, jabberd_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `jabber_domain_template'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## jabber lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`jabber_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `jabber_manage_lib_files'($*)) dnl - - gen_require(` - type jabberd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `jabber_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an jabber environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`jabber_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `jabber_admin'($*)) dnl - - gen_require(` - attribute jabberd_domain; - type jabberd_lock_t, jabberd_log_t, jabberd_spool_t; - type jabberd_var_lib_t, jabberd_runtime_t, jabberd_initrc_exec_t; - ') - - allow $1 jabberd_domain:process { ptrace signal_perms }; - ps_process_pattern($1, jabberd_domain) - - init_startstop_service($1, $2, jabberd_domain, jabberd_initrc_exec_t) - - files_search_locks($1) - admin_pattern($1, jabberd_lock_t) - - logging_search_logs($1) - admin_pattern($1, jabberd_log_t) - - files_search_spool($1) - admin_pattern($1, jabberd_spool_t) - - files_search_var_lib($1) - admin_pattern($1, jabberd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, jabberd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `jabber_admin'($*)) dnl - ') - -## Comsat, a biff server. -## Service for downloading news feeds the slrn newsreader. - -######################################## -## -## Search slrnpull spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`slrnpull_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `slrnpull_search_spool'($*)) dnl - - gen_require(` - type slrnpull_spool_t; - ') - - files_search_spool($1) - allow $1 slrnpull_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `slrnpull_search_spool'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## slrnpull spool content. -## -## -## -## Domain allowed access. -## -## -# - define(`slrnpull_manage_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `slrnpull_manage_spool'($*)) dnl - - gen_require(` - type slrnpull_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `slrnpull_manage_spool'($*)) dnl - ') - -## Cluster File System binary, daemon and command line. - -######################################## -## -## All of the rules required to -## administrate an glusterfs environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`glusterfs_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `glusterfs_admin'($*)) dnl - - gen_require(` - type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; - type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; - type glusterd_runtime_t; - ') - - init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t) - - allow $1 glusterd_t:process { ptrace signal_perms }; - ps_process_pattern($1, glusterd_t) - - files_search_etc($1) - admin_pattern($1, glusterd_conf_t) - - logging_search_logs($1) - admin_pattern($1, glusterd_log_t) - - files_search_tmp($1) - admin_pattern($1, glusterd_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, glusterd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, glusterd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `glusterfs_admin'($*)) dnl - ') - -## Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards. - -######################################## -## -## Execute a domain transition to run modemmanager. -## -## -## -## Domain allowed to transition. -## -## -# - define(`modemmanager_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modemmanager_domtrans'($*)) dnl - - gen_require(` - type modemmanager_t, modemmanager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modemmanager_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## modemmanager over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`modemmanager_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modemmanager_dbus_chat'($*)) dnl - - gen_require(` - type modemmanager_t; - class dbus send_msg; - ') - - allow $1 modemmanager_t:dbus send_msg; - allow modemmanager_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modemmanager_dbus_chat'($*)) dnl - ') - -## Statistics collection daemon for filling RRD files. - -######################################## -## -## All of the rules required to -## administrate an collectd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`collectd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `collectd_admin'($*)) dnl - - gen_require(` - type collectd_t, collectd_initrc_exec_t, collectd_runtime_t; - type collectd_var_lib_t; - ') - - allow $1 collectd_t:process { ptrace signal_perms }; - ps_process_pattern($1, collectd_t) - - init_startstop_service($1, $2, collectd_t, collectd_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, collectd_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, collectd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `collectd_admin'($*)) dnl - ') - -## RPC port mapping service. - -######################################## -## -## Execute portmap helper in the helper domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`portmap_domtrans_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portmap_domtrans_helper'($*)) dnl - - gen_require(` - type portmap_helper_t, portmap_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portmap_domtrans_helper'($*)) dnl - ') - - -######################################## -## -## Execute portmap helper in the helper -## domain, and allow the specified role -## the helper domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`portmap_run_helper',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portmap_run_helper'($*)) dnl - - gen_require(` - attribute_role portmap_helper_roles; - ') - - portmap_domtrans_helper($1) - roleattribute $2 portmap_helper_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portmap_run_helper'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an portmap environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`portmap_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portmap_admin'($*)) dnl - - gen_require(` - type portmap_t, portmap_initrc_exec_t, portmap_helper_t; - type portmap_runtime_t, portmap_tmp_t; - ') - - allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { portmap_t portmap_helper_t }) - - init_startstop_service($1, $2, portmap_t, portmap_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, portmap_runtime_t) - - files_search_tmp($1) - admin_pattern($1, portmap_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portmap_admin'($*)) dnl - ') - -## A scalable high-availability cluster resource manager. - -######################################## -## -## All of the rules required to -## administrate an pacemaker environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pacemaker_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pacemaker_admin'($*)) dnl - - gen_require(` - type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t; - type pacemaker_runtime_t; - ') - - allow $1 pacemaker_t:process { ptrace signal_perms }; - ps_process_pattern($1, pacemaker_t) - - init_startstop_service($1, $2, pacemaker_t, pacemaker_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, pacemaker_var_lib_t) - - files_search_pids($1) - admin_pattern($1, pacemaker_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pacemaker_admin'($*)) dnl - ') - -## MIDI to WAV converter and player configured as a service. -## Intel LLDP Agent. - -####################################### -## -## Send to lldpad with a unix dgram socket. -## -## -## -## Domain allowed access. -## -## -# - define(`lldpad_dgram_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lldpad_dgram_send'($*)) dnl - - gen_require(` - type lldpad_t, lldpad_runtime_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, lldpad_runtime_t, lldpad_runtime_t, lldpad_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lldpad_dgram_send'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an lldpad environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`lldpad_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lldpad_admin'($*)) dnl - - gen_require(` - type lldpad_t, lldpad_initrc_exec_t, lldpad_var_lib_t; - type lldpad_runtime_t; - ') - - allow $1 lldpad_t:process { ptrace signal_perms }; - ps_process_pattern($1, lldpad_t) - - init_startstop_service($1, $2, lldpad_t, lldpad_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, lldpad_var_lib_t) - - files_search_pids($1) - admin_pattern($1, lldpad_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lldpad_admin'($*)) dnl - ') - -## Spice agent for Linux. - -######################################## -## -## Execute a domain transition to run vdagent. -## -## -## -## Domain allowed access. -## -## -# - define(`vdagent_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vdagent_domtrans'($*)) dnl - - gen_require(` - type vdagent_t, vdagent_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, vdagent_exec_t, vdagent_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vdagent_domtrans'($*)) dnl - ') - - -##################################### -## -## Get attributes of vdagent executable files. -## -## -## -## Domain allowed access. -## -## -# - define(`vdagent_getattr_exec_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vdagent_getattr_exec_files'($*)) dnl - - gen_require(` - type vdagent_exec_t; - ') - - allow $1 vdagent_exec_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vdagent_getattr_exec_files'($*)) dnl - ') - - -####################################### -## -## Get attributes of vdagent log files. -## -## -## -## Domain allowed access. -## -## -# - define(`vdagent_getattr_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vdagent_getattr_log'($*)) dnl - - gen_require(` - type vdagent_log_t; - ') - - logging_search_logs($1) - allow $1 vdagent_log_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vdagent_getattr_log'($*)) dnl - ') - - -######################################## -## -## Read vdagent pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`vdagent_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vdagent_read_pid_files'($*)) dnl - - gen_require(` - type vdagent_runtime_t; - ') - - files_search_pids($1) - allow $1 vdagent_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vdagent_read_pid_files'($*)) dnl - ') - - -##################################### -## -## Connect to vdagent with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`vdagent_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vdagent_stream_connect'($*)) dnl - - gen_require(` - type vdagent_runtime_t, vdagent_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, vdagent_runtime_t, vdagent_runtime_t, vdagent_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vdagent_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an vdagent environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`vdagent_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `vdagent_admin'($*)) dnl - - gen_require(` - type vdagent_t, vdagent_runtime_t, vdagentd_initrc_exec_t; - type vdagent_log_t; - ') - - allow $1 vdagent_t:process signal_perms; - ps_process_pattern($1, vdagent_t) - - init_startstop_service($1, $2, vdagentd_t, vdagentd_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, vdagent_log_t) - - files_search_pids($1) - admin_pattern($1, vdagent_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `vdagent_admin'($*)) dnl - ') - -## Service daemon with a D-BUS interface that provides a dynamic managed firewall. - -######################################## -## -## Read firewalld configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`firewalld_read_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firewalld_read_config_files'($*)) dnl - - gen_require(` - type firewalld_etc_rw_t; - ') - - files_search_etc($1) - read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firewalld_read_config_files'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## firewalld over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`firewalld_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firewalld_dbus_chat'($*)) dnl - - gen_require(` - type firewalld_t; - class dbus send_msg; - ') - - allow $1 firewalld_t:dbus send_msg; - allow firewalld_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firewalld_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read, snd -## write firewalld temporary files. -## -## -## -## Domain to not audit. -## -## -# - define(`firewalld_dontaudit_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firewalld_dontaudit_rw_tmp_files'($*)) dnl - - gen_require(` - type firewalld_tmp_t; - ') - - dontaudit $1 firewalld_tmp_t:file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firewalld_dontaudit_rw_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read firewalld runtime files. -## -## -## -## Domain allowed access. -## -## -# - define(`firewalld_read_var_run_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firewalld_read_var_run_files'($*)) dnl - - gen_require(` - type firewalld_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, firewalld_runtime_t, firewalld_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firewalld_read_var_run_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an firewalld environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`firewalld_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `firewalld_admin'($*)) dnl - - gen_require(` - type firewalld_t, firewalld_initrc_exec_t; - type firewalld_etc_rw_t, firewalld_runtime_t; - type firewalld_var_log_t; - ') - - allow $1 firewalld_t:process { ptrace signal_perms }; - ps_process_pattern($1, firewalld_t) - - init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, firewalld_runtime_t) - - logging_search_logs($1) - admin_pattern($1, firewalld_var_log_t) - - files_search_etc($1) - admin_pattern($1, firewalld_etc_rw_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `firewalld_admin'($*)) dnl - ') - -## ICQ transport for XMPP server. - -######################################## -## -## All of the rules required to -## administrate an pyicqt environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pyicqt_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pyicqt_admin'($*)) dnl - - gen_require(` - type pyicqt_t, pyicqt_log_t, pyicqt_spool_t; - type pyicqt_runtime_t, pyicqt_initrc_exec_t, pyicqt_conf_t; - ') - - allow $1 pyicqt_t:process { ptrace signal_perms }; - ps_process_pattern($1, pyicqt_t) - - init_startstop_service($1, $2, pyicqt_t, pyicqt_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, pyicqt_conf_t) - - logging_search_logs($1) - admin_pattern($1, pyicqt_log_t) - - files_search_spool($1) - admin_pattern($1, pyicqt_spool_t) - - files_search_pids($1) - admin_pattern($1, pyicqt_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pyicqt_admin'($*)) dnl - ') - -## Passive Asset Detection System. - -######################################## -## -## All of the rules required to -## administrate an pads environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pads_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pads_admin'($*)) dnl - - gen_require(` - type pads_t, pads_config_t, pads_runtime_t; - type pads_initrc_exec_t; - ') - - allow $1 pads_t:process { ptrace signal_perms }; - ps_process_pattern($1, pads_t) - - init_startstop_service($1, $2, pads_t, pads_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, pads_runtime_t) - - files_search_etc($1) - admin_pattern($1, pads_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pads_admin'($*)) dnl - ') - -## Service for handling smart card readers. - -######################################## -## -## Send null signals to openct. -## -## -## -## Domain allowed access. -## -## -# - define(`openct_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openct_signull'($*)) dnl - - gen_require(` - type openct_t; - ') - - allow $1 openct_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openct_signull'($*)) dnl - ') - - -######################################## -## -## Execute openct in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`openct_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openct_exec'($*)) dnl - - gen_require(` - type openct_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, openct_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openct_exec'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run openct. -## -## -## -## Domain allowed to transition. -## -## -# - define(`openct_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openct_domtrans'($*)) dnl - - gen_require(` - type openct_t, openct_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, openct_exec_t, openct_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openct_domtrans'($*)) dnl - ') - - -######################################## -## -## Read openct pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`openct_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openct_read_pid_files'($*)) dnl - - gen_require(` - type openct_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, openct_runtime_t, openct_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openct_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to openct over an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`openct_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openct_stream_connect'($*)) dnl - - gen_require(` - type openct_t, openct_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, openct_runtime_t, openct_runtime_t, openct_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openct_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an openct environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`openct_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openct_admin'($*)) dnl - - gen_require(` - type openct_t, openct_initrc_exec_t, openct_runtime_t; - ') - - allow $1 openct_t:process { ptrace signal_perms }; - ps_process_pattern($1, openct_t) - - init_startstop_service($1, $2, openct_t, openct_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, openct_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openct_admin'($*)) dnl - ') - -## OpenSLP server daemon to dynamically register services. - -######################################## -## -## All of the rules required to -## administrate an slpd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`slpd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `slpd_admin'($*)) dnl - - gen_require(` - type slpd_t, slpd_initrc_exec_t, slpd_log_t; - type slpd_runtime_t; - ') - - allow $1 slpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, slpd_t) - - init_startstop_service($1, $2, slpd_t, slpd_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, slpd_log_t) - - files_search_pids($1) - admin_pattern($1, slpd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `slpd_admin'($*)) dnl - ') - -## Cluster Configuration System. - -######################################## -## -## Execute a domain transition to run ccs. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ccs_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ccs_domtrans'($*)) dnl - - gen_require(` - type ccs_t, ccs_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ccs_exec_t, ccs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ccs_domtrans'($*)) dnl - ') - - -######################################## -## -## Connect to ccs over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`ccs_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ccs_stream_connect'($*)) dnl - - gen_require(` - type ccs_t, ccs_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ccs_runtime_t, ccs_runtime_t, ccs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ccs_stream_connect'($*)) dnl - ') - - -######################################## -## -## Read cluster configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`ccs_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ccs_read_config'($*)) dnl - - gen_require(` - type cluster_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, cluster_conf_t, cluster_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ccs_read_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## cluster configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`ccs_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ccs_manage_config'($*)) dnl - - gen_require(` - type cluster_conf_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t) - manage_files_pattern($1, cluster_conf_t, cluster_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ccs_manage_config'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ccs environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ccs_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ccs_admin'($*)) dnl - - gen_require(` - type ccs_t, ccs_initrc_exec_t, cluster_conf_t; - type ccs_var_lib_t, ccs_var_log_t; - type ccs_runtime_t, ccs_tmp_t; - ') - - allow $1 ccs_t:process { ptrace signal_perms }; - ps_process_pattern($1, ccs_t) - - init_startstop_service($1, $2, ccs_t, ccs_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, cluster_conf_t) - - files_search_var_lib($1) - admin_pattern($1, ccs_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, ccs_var_log_t) - - files_search_pids($1) - admin_pattern($1, ccs_runtime_t) - - files_search_tmp($1) - admin_pattern($1, ccs_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ccs_admin'($*)) dnl - ') - -## Update firewall filtering to ban IP addresses with too many password failures. - -######################################## -## -## Execute a domain transition to run fail2ban. -## -## -## -## Domain allowed to transition. -## -## -# - define(`fail2ban_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_domtrans'($*)) dnl - - gen_require(` - type fail2ban_t, fail2ban_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the fail2ban client in -## the fail2ban client domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`fail2ban_domtrans_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_domtrans_client'($*)) dnl - - gen_require(` - type fail2ban_client_t, fail2ban_client_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_domtrans_client'($*)) dnl - ') - - -######################################## -## -## Execute fail2ban client in the -## fail2ban client domain, and allow -## the specified role the fail2ban -## client domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`fail2ban_run_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_run_client'($*)) dnl - - gen_require(` - attribute_role fail2ban_client_roles; - ') - - fail2ban_domtrans_client($1) - roleattribute $2 fail2ban_client_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_run_client'($*)) dnl - ') - - -##################################### -## -## Connect to fail2ban over a -## unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`fail2ban_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_stream_connect'($*)) dnl - - gen_require(` - type fail2ban_t, fail2ban_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, fail2ban_runtime_t, fail2ban_runtime_t, fail2ban_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_stream_connect'($*)) dnl - ') - - -######################################## -## -## Read and write inherited temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`fail2ban_rw_inherited_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_rw_inherited_tmp_files'($*)) dnl - - gen_require(` - type fail2ban_tmp_t; - ') - - files_search_tmp($1) - allow $1 fail2ban_tmp_t:file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_rw_inherited_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use -## fail2ban file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`fail2ban_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_dontaudit_use_fds'($*)) dnl - - gen_require(` - type fail2ban_t; - ') - - dontaudit $1 fail2ban_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write fail2ban unix stream sockets -## -## -## -## Domain to not audit. -## -## -# - define(`fail2ban_dontaudit_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_dontaudit_rw_stream_sockets'($*)) dnl - - gen_require(` - type fail2ban_t; - ') - - dontaudit $1 fail2ban_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_dontaudit_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write fail2ban unix -## stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`fail2ban_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_rw_stream_sockets'($*)) dnl - - gen_require(` - type fail2ban_t; - ') - - allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Read fail2ban lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`fail2ban_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_read_lib_files'($*)) dnl - - gen_require(` - type fail2ban_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 fail2ban_var_lib_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Read fail2ban log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`fail2ban_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_read_log'($*)) dnl - - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_read_log'($*)) dnl - ') - - -######################################## -## -## Append fail2ban log files. -## -## -## -## Domain allowed access. -## -## -# - define(`fail2ban_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_append_log'($*)) dnl - - gen_require(` - type fail2ban_log_t; - ') - - logging_search_logs($1) - allow $1 fail2ban_log_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_append_log'($*)) dnl - ') - - -######################################## -## -## Read fail2ban pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`fail2ban_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_read_pid_files'($*)) dnl - - gen_require(` - type fail2ban_runtime_t; - ') - - files_search_pids($1) - allow $1 fail2ban_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_read_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an fail2ban environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`fail2ban_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fail2ban_admin'($*)) dnl - - gen_require(` - type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; - type fail2ban_runtime_t, fail2ban_initrc_exec_t; - type fail2ban_var_lib_t, fail2ban_client_t; - ') - - allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) - - init_startstop_service($1, $2, fail2ban_t, fail2ban_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, fail2ban_log_t) - - files_list_pids($1) - admin_pattern($1, fail2ban_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, fail2ban_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, fail2ban_tmp_t) - - fail2ban_run_client($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fail2ban_admin'($*)) dnl - ') - -## policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling - -######################################## -## -## Execute gssproxy in the gssproxy domin. -## -## -## -## Domain allowed to transition. -## -## -# - define(`gssproxy_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gssproxy_domtrans'($*)) dnl - - gen_require(` - type gssproxy_t, gssproxy_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gssproxy_domtrans'($*)) dnl - ') - - -######################################## -## -## Search gssproxy lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`gssproxy_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gssproxy_search_lib'($*)) dnl - - gen_require(` - type gssproxy_var_lib_t; - ') - - allow $1 gssproxy_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gssproxy_search_lib'($*)) dnl - ') - - -######################################## -## -## Read gssproxy lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`gssproxy_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gssproxy_read_lib_files'($*)) dnl - - gen_require(` - type gssproxy_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gssproxy_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Manage gssproxy lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`gssproxy_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gssproxy_manage_lib_files'($*)) dnl - - gen_require(` - type gssproxy_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gssproxy_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Manage gssproxy lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`gssproxy_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gssproxy_manage_lib_dirs'($*)) dnl - - gen_require(` - type gssproxy_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gssproxy_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Read gssproxy PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`gssproxy_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gssproxy_read_pid_files'($*)) dnl - - gen_require(` - type gssproxy_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gssproxy_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to gssproxy over an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`gssproxy_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gssproxy_stream_connect'($*)) dnl - - gen_require(` - type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) - stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gssproxy_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to administrate -## an gssproxy environment -## -## -## -## Domain allowed access. -## -## -## -# - define(`gssproxy_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gssproxy_admin'($*)) dnl - - gen_require(` - type gssproxy_t; - type gssproxy_var_lib_t; - type gssproxy_run_t; - type gssproxy_unit_t; - ') - - allow $1 gssproxy_t:process { ptrace signal_perms }; - ps_process_pattern($1, gssproxy_t) - - files_search_var_lib($1) - admin_pattern($1, gssproxy_var_lib_t) - - files_search_pids($1) - admin_pattern($1, gssproxy_run_t) - - admin_pattern($1, gssproxy_unit_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gssproxy_admin'($*)) dnl - ') - -## IPv6 router advertisement daemon. - -######################################## -## -## All of the rules required to -## administrate an radvd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`radvd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `radvd_admin'($*)) dnl - - gen_require(` - type radvd_t, radvd_etc_t, radvd_initrc_exec_t; - type radvd_runtime_t; - ') - - allow $1 radvd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radvd_t) - - init_startstop_service($1, $2, radvd_t, radvd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, radvd_etc_t) - - files_list_pids($1) - admin_pattern($1, radvd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `radvd_admin'($*)) dnl - ') - -## An ident daemon with IP masq/NAT support and the ability to specify responses. - -######################################## -## -## Read oidentd user home content. -## -## -## -## Domain allowed access. -## -## -# - define(`oident_read_user_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oident_read_user_content'($*)) dnl - - gen_require(` - type oidentd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 oidentd_home_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oident_read_user_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## oidentd user home content. -## -## -## -## Domain allowed access. -## -## -# - define(`oident_manage_user_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oident_manage_user_content'($*)) dnl - - gen_require(` - type oidentd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 oidentd_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oident_manage_user_content'($*)) dnl - ') - - -######################################## -## -## Relabel oidentd user home content. -## -## -## -## Domain allowed access. -## -## -# - define(`oident_relabel_user_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oident_relabel_user_content'($*)) dnl - - gen_require(` - type oidentd_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 oidentd_home_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oident_relabel_user_content'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the oidentd home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`oident_home_filetrans_oidentd_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oident_home_filetrans_oidentd_home'($*)) dnl - - gen_require(` - type oidentd_home_t; - ') - - userdom_user_home_dir_filetrans($1, oidentd_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oident_home_filetrans_oidentd_home'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an oident environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`oident_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oident_admin'($*)) dnl - - gen_require(` - type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; - ') - - allow $1 oidentd_t:process { ptrace signal_perms }; - ps_process_pattern($1, oidentd_t) - - init_startstop_service($1, $2, oidentd_t, oidentd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, oidentd_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oident_admin'($*)) dnl - ') - -## NX remote desktop. - -######################################## -## -## Transition to nx server. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nx_spec_domtrans_server',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nx_spec_domtrans_server'($*)) dnl - - gen_require(` - type nx_server_t, nx_server_exec_t; - ') - - corecmd_search_bin($1) - spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nx_spec_domtrans_server'($*)) dnl - ') - - -######################################## -## -## Read nx home directory content. -## -## -## -## Domain allowed access. -## -## -# - define(`nx_read_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nx_read_home_files'($*)) dnl - - gen_require(` - type nx_server_ssh_home_t, nx_server_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, { nx_server_var_lib_t nx_server_ssh_home_t }, nx_server_ssh_home_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nx_read_home_files'($*)) dnl - ') - - -######################################## -## -## Search nx lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`nx_search_var_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nx_search_var_lib'($*)) dnl - - gen_require(` - type nx_server_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 nx_server_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nx_search_var_lib'($*)) dnl - ') - - -######################################## -## -## Create specified objects in nx lib -## directories with a private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`nx_var_lib_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nx_var_lib_filetrans'($*)) dnl - - gen_require(` - type nx_server_var_lib_t; - ') - - filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nx_var_lib_filetrans'($*)) dnl - ') - -## Shibboleth authentication deamon - -######################################## -## -## Allow your application domain to access -## config files from shibboleth -## -## -## -## The domain which should be enabled. -## -## -# - define(`shibboleth_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shibboleth_read_config'($*)) dnl - - gen_require(` - type shibboleth_etc_t; - ') - - read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shibboleth_read_config'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to connect to shibboleth with a unix socket. -## -## -## -## Domain allowed access. -## -## -# - define(`shibboleth_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `shibboleth_stream_connect'($*)) dnl - - gen_require(` - type shibboleth_t; - type shibboleth_runtime_t; - ') - - stream_connect_pattern($1, shibboleth_runtime_t, shibboleth_runtime_t, shibboleth_t) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `shibboleth_stream_connect'($*)) dnl - ') - -## Postfix policy server. - -######################################## -## -## All of the rules required to administrate -## an postfixpolicyd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`postfixpolicyd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `postfixpolicyd_admin'($*)) dnl - - gen_require(` - type postfix_policyd_t, postfix_policyd_conf_t; - type postfix_policyd_runtime_t, postfix_policyd_initrc_exec_t; - ') - - allow $1 postfix_policyd_t:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_policyd_t) - - init_startstop_service($1, $2, postfix_policyd_t, postfix_policyd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, postfix_policyd_conf_t) - - files_list_pids($1) - admin_pattern($1, postfix_policyd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `postfixpolicyd_admin'($*)) dnl - ') - -## Internet Storage Name Service. - -######################################## -## -## All of the rules required to -## administrate an isnsd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`isnsd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `isnsd_admin'($*)) dnl - - gen_require(` - type isnsd_t, isnsd_initrc_exec_t, isnsd_var_lib_t; - type isnsd_runtime_t; - ') - - allow $1 isnsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, isnsd_t) - - init_startstop_service($1, $2, isnsd_t, isnsd_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, isnsd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, isnsd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `isnsd_admin'($*)) dnl - ') - -## ClamAV Virus Scanner. - -######################################## -## -## Execute a domain transition to run clamd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`clamav_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_domtrans'($*)) dnl - - gen_require(` - type clamd_t, clamd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clamd_exec_t, clamd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute clamd programs in the clamd -## domain and allow the specified role -## the clamd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`clamav_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_run'($*)) dnl - - gen_require(` - type clamd_t; - ') - - clamav_domtrans($1) - role $2 types clamd_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_run'($*)) dnl - ') - - -######################################## -## -## Connect to clamd using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_stream_connect'($*)) dnl - - gen_require(` - type clamd_t, clamd_runtime_t; - ') - - allow clamd_t $1:fd use; - - files_search_pids($1) - stream_connect_pattern($1, clamd_runtime_t, clamd_runtime_t, clamd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_stream_connect'($*)) dnl - ') - - -######################################## -## -## Append clamav log files. -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_append_log'($*)) dnl - - gen_require(` - type clamd_var_log_t; - ') - - logging_search_logs($1) - allow $1 clamd_var_log_t:dir list_dir_perms; - append_files_pattern($1, clamd_var_log_t, clamd_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## clamav pid content. -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_manage_pid_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_manage_pid_content'($*)) dnl - - gen_require(` - type clamd_runtime_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, clamd_runtime_t, clamd_runtime_t) - manage_files_pattern($1, clamd_runtime_t, clamd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_manage_pid_content'($*)) dnl - ') - - -######################################## -## -## Read clamav configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_read_config'($*)) dnl - - gen_require(` - type clamd_etc_t; - ') - - files_search_etc($1) - allow $1 clamd_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_read_config'($*)) dnl - ') - - -######################################## -## -## Search clamav library directories. -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_search_lib'($*)) dnl - - gen_require(` - type clamd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 clamd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_search_lib'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run clamscan. -## -## -## -## Domain allowed to transition. -## -## -# - define(`clamav_domtrans_clamscan',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_domtrans_clamscan'($*)) dnl - - gen_require(` - type clamscan_t, clamscan_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clamscan_exec_t, clamscan_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_domtrans_clamscan'($*)) dnl - ') - - -######################################## -## -## Execute clamscan in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_exec_clamscan',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_exec_clamscan'($*)) dnl - - gen_require(` - type clamscan_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, clamscan_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_exec_clamscan'($*)) dnl - ') - - -####################################### -## -## Read clamd process state files. -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_read_state_clamd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_read_state_clamd'($*)) dnl - - gen_require(` - type clamd_t; - ') - - kernel_search_proc($1) - allow $1 clamd_t:dir list_dir_perms; - read_files_pattern($1, clamd_t, clamd_t) - read_lnk_files_pattern($1, clamd_t, clamd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_read_state_clamd'($*)) dnl - ') - - -####################################### -## -## Read clam virus signature files -## -## -##

-## Useful for when using things like 'sigtool' -## which provides useful information about -## ClamAV signature files. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`clamav_read_signatures',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_read_signatures'($*)) dnl - - gen_require(` - type clamd_var_lib_t; - ') - - clamav_search_lib($1) - allow $1 clamd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t) - read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_read_signatures'($*)) dnl - ') - - -####################################### -## -## Denote a particular type to be scanned by ClamAV -## -## -## -## Type that clamd_t and clamscan_t can read. -## -## -# - define(`clamav_scannable_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_scannable_files'($*)) dnl - - gen_require(` - attribute clam_scannable_type; - ') - - typeattribute $1 clam_scannable_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_scannable_files'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run freshclam. -## -## -## -## Domain allowed to transition. -## -## -# - define(`clamav_domtrans_freshclam',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_domtrans_freshclam'($*)) dnl - - gen_require(` - type freshclam_t, freshclam_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, freshclam_exec_t, freshclam_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_domtrans_freshclam'($*)) dnl - ') - - -######################################## -## -## Execute freshclam in the freshclam domain, and -## allow the specified role the freshclam domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`clamav_run_freshclam',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_run_freshclam'($*)) dnl - - gen_require(` - type freshclam_t; - ') - - clamav_domtrans_freshclam($1) - role $2 types freshclam_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_run_freshclam'($*)) dnl - ') - - -######################################## -## -## Execute freshclam in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_exec_freshclam',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_exec_freshclam'($*)) dnl - - gen_require(` - type freshclam_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, freshclam_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_exec_freshclam'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to enable clamd units -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_enabledisable_clamd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_enabledisable_clamd'($*)) dnl - - gen_require(` - type clamd_unit_t; - class service { enable disable }; - ') - - allow $1 clamd_unit_t:service { enable disable }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_enabledisable_clamd'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to start clamd units -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_startstop_clamd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_startstop_clamd'($*)) dnl - - gen_require(` - type clamd_unit_t; - class service { start stop }; - ') - - allow $1 clamd_unit_t:service { start stop }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_startstop_clamd'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get status of clamd -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_status_clamd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_status_clamd'($*)) dnl - - gen_require(` - type clamd_unit_t; - class service status; - ') - - allow $1 clamd_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_status_clamd'($*)) dnl - ') - - -######################################## -## -## Allow specified domain reload of clamd -## -## -## -## Domain allowed access. -## -## -# - define(`clamav_reload_clamd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_reload_clamd'($*)) dnl - - gen_require(` - type clamd_unit_t; - class service reload; - ') - - allow $1 clamd_unit_t:service reload; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_reload_clamd'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an clamav environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`clamav_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clamav_admin'($*)) dnl - - gen_require(` - type clamd_t, clamd_etc_t, clamd_tmp_t; - type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t; - type clamd_runtime_t, clamscan_t, clamscan_tmp_t; - type freshclam_t, freshclam_var_log_t; - ') - - allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) - - init_startstop_service($1, $2, clamd_t, clamd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, clamd_etc_t) - - files_list_var_lib($1) - admin_pattern($1, clamd_var_lib_t) - - logging_list_logs($1) - admin_pattern($1, { clamd_var_log_t freshclam_var_log_t }) - - files_list_pids($1) - admin_pattern($1, clamd_runtime_t) - - files_list_tmp($1) - admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clamav_admin'($*)) dnl - ') - -## GIT revision control system. - -######################################## -## -## Role access for Git session. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`git_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `git_role'($*)) dnl - - gen_require(` - attribute_role git_session_roles; - type git_session_t, gitd_exec_t, git_user_content_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 git_session_roles; - - ######################################## - # - # Policy - # - - allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git") - - allow $2 git_session_t:process { ptrace signal_perms }; - ps_process_pattern($2, git_session_t) - - tunable_policy(`git_session_users',` - domtrans_pattern($2, gitd_exec_t, git_session_t) - ',` - can_exec($2, gitd_exec_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `git_role'($*)) dnl - ') - - -######################################## -## -## Read generic system content files. -## -## -## -## Domain allowed access. -## -## -# - define(`git_read_generic_sys_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `git_read_generic_sys_content_files'($*)) dnl - - gen_require(` - type git_sys_content_t; - ') - - list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) - read_files_pattern($1, git_sys_content_t, git_sys_content_t) - - files_search_var_lib($1) - - tunable_policy(`git_system_use_cifs',` - fs_getattr_cifs($1) - fs_list_cifs($1) - fs_read_cifs_files($1) - ') - - tunable_policy(`git_system_use_nfs',` - fs_getattr_nfs($1) - fs_list_nfs($1) - fs_read_nfs_files($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `git_read_generic_sys_content_files'($*)) dnl - ') - -## Iptables/netfilter userspace logging daemon. - -######################################## -## -## Execute a domain transition to run ulogd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ulogd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ulogd_domtrans'($*)) dnl - - gen_require(` - type ulogd_t, ulogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ulogd_exec_t, ulogd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ulogd_domtrans'($*)) dnl - ') - - -######################################## -## -## Read ulogd configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`ulogd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ulogd_read_config'($*)) dnl - - gen_require(` - type ulogd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ulogd_read_config'($*)) dnl - ') - - -######################################## -## -## Read ulogd log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`ulogd_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ulogd_read_log'($*)) dnl - - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir list_dir_perms; - read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ulogd_read_log'($*)) dnl - ') - - -####################################### -## -## Search ulogd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`ulogd_search_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ulogd_search_log'($*)) dnl - - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ulogd_search_log'($*)) dnl - ') - - -######################################## -## -## Append to ulogd log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`ulogd_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ulogd_append_log'($*)) dnl - - gen_require(` - type ulogd_var_log_t; - ') - - logging_search_logs($1) - allow $1 ulogd_var_log_t:dir list_dir_perms; - allow $1 ulogd_var_log_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ulogd_append_log'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ulogd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ulogd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ulogd_admin'($*)) dnl - - gen_require(` - type ulogd_t, ulogd_etc_t, ulogd_modules_t; - type ulogd_var_log_t, ulogd_initrc_exec_t; - ') - - allow $1 ulogd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ulogd_t) - - init_startstop_service($1, $2, ulogd_t, ulogd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, ulogd_etc_t) - - logging_list_logs($1) - admin_pattern($1, ulogd_var_log_t) - - files_list_usr($1) - admin_pattern($1, ulogd_modules_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ulogd_admin'($*)) dnl - ') - -## X Windows Font Server. - -######################################## -## -## Read xfs temporary sock files. -## -## -## -## Domain allowed access. -## -## -# - define(`xfs_read_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xfs_read_sockets'($*)) dnl - - gen_require(` - type xfs_tmp_t; - ') - - files_search_tmp($1) - read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xfs_read_sockets'($*)) dnl - ') - - -######################################## -## -## Connect to xfs with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`xfs_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xfs_stream_connect'($*)) dnl - - gen_require(` - type xfs_tmp_t, xfs_t; - ') - - files_search_tmp($1) - stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xfs_stream_connect'($*)) dnl - ') - - -######################################## -## -## Execute xfs in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`xfs_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xfs_exec'($*)) dnl - - gen_require(` - type xfs_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, xfs_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xfs_exec'($*)) dnl - ') - - -######################################## -## -## Create xfs temporary dirs -## -## -## -## Domain allowed access. -## -## -# - define(`xfs_create_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xfs_create_tmp_dirs'($*)) dnl - - gen_require(` - type xfs_tmp_t; - ') - - files_search_tmp($1) - allow $1 xfs_tmp_t:dir create; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xfs_create_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an xfs environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`xfs_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xfs_admin'($*)) dnl - - gen_require(` - type xfs_t, xfs_initrc_exec_t, xfs_runtime_t; - type xfs_tmp_t; - ') - - allow $1 xfs_t:process { ptrace signal_perms }; - ps_process_pattern($1, xfs_t) - - init_startstop_service($1, $2, xfs_t, xfs_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, xfs_runtime_t) - - files_search_tmp($1) - admin_pattern($1, xfs_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xfs_admin'($*)) dnl - ') - -## SASL authentication server. - -######################################## -## -## Connect to SASL. -## -## -## -## Domain allowed access. -## -## -# - define(`sasl_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sasl_connect'($*)) dnl - - gen_require(` - type saslauthd_t, saslauthd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, saslauthd_runtime_t, saslauthd_runtime_t, saslauthd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sasl_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an sasl environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sasl_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sasl_admin'($*)) dnl - - gen_require(` - type saslauthd_t, saslauthd_runtime_t, saslauthd_initrc_exec_t; - type saslauthd_keytab_t; - ') - - allow $1 saslauthd_t:process { ptrace signal_perms }; - ps_process_pattern($1, saslauthd_t) - - init_startstop_service($1, $2, saslauthd_t, saslauthd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, saslauthd_keytab_t) - - files_list_pids($1) - admin_pattern($1, saslauthd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sasl_admin'($*)) dnl - ') - -## Hard disk temperature tool running as a daemon. - -####################################### -## -## Execute a domain transition to run hddtemp. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hddtemp_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hddtemp_domtrans'($*)) dnl - - gen_require(` - type hddtemp_t, hddtemp_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hddtemp_domtrans'($*)) dnl - ') - - -###################################### -## -## Execute hddtemp in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`hddtemp_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hddtemp_exec'($*)) dnl - - gen_require(` - type hddtemp_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, hddtemp_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hddtemp_exec'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an hddtemp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`hddtemp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hddtemp_admin'($*)) dnl - - gen_require(` - type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; - ') - - allow $1 hddtemp_t:process { ptrace signal_perms }; - ps_process_pattern($1, hddtemp_t) - - init_startstop_service($1, $2, hddtemp_t, hddtemp_initrc_exec_t) - - admin_pattern($1, hddtemp_etc_t) - files_search_etc($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hddtemp_admin'($*)) dnl - ') - -## E-mail security and anti-spam package for e-mail gateway systems. - -######################################## -## -## Create, read, write, and delete -## mscan spool content. -## -## -## -## Domain allowed access. -## -## -# - define(`mscan_manage_spool_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mscan_manage_spool_content'($*)) dnl - - gen_require(` - type mscan_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t) - manage_files_pattern($1, mscan_spool_t, mscan_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mscan_manage_spool_content'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an mscan environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mscan_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mscan_admin'($*)) dnl - - gen_require(` - type mscan_t, mscan_etc_t, mscan_initrc_exec_t; - type mscan_runtime_t, mscan_spool_t; - ') - - allow $1 mscan_t:process { ptrace signal_perms }; - ps_process_pattern($1, mscan_t) - - init_startstop_service($1, $2, mscan_t, mscan_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, mscan_etc_t) - - files_search_pids($1) - admin_pattern($1, mscan_runtime_t) - - files_search_spool($1) - admin_pattern($1, mscan_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mscan_admin'($*)) dnl - ') - -## OpenLDAP directory server. - -######################################## -## -## List ldap database directories. -## -## -## -## Domain allowed access. -## -## -# - define(`ldap_list_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ldap_list_db'($*)) dnl - - gen_require(` - type slapd_db_t; - ') - - files_search_etc($1) - allow $1 slapd_db_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ldap_list_db'($*)) dnl - ') - - -######################################## -## -## Read ldap configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`ldap_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ldap_read_config'($*)) dnl - - gen_require(` - type slapd_etc_t; - ') - - files_search_etc($1) - allow $1 slapd_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ldap_read_config'($*)) dnl - ') - - -######################################## -## -## Connect to slapd over an unix -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`ldap_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ldap_stream_connect'($*)) dnl - - gen_require(` - type slapd_t, slapd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, slapd_runtime_t, slapd_runtime_t, slapd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ldap_stream_connect'($*)) dnl - ') - - -######################################## -## -## Connect to ldap over the network. -## -## -## -## Domain allowed access. -## -## -# - define(`ldap_tcp_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ldap_tcp_connect'($*)) dnl - - gen_require(` - type slapd_t; - ') - - corenet_sendrecv_ldap_client_packets($1) - corenet_tcp_connect_ldap_port($1) - corenet_tcp_recvfrom_labeled($1, slapd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ldap_tcp_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ldap environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ldap_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ldap_admin'($*)) dnl - - gen_require(` - type slapd_t, slapd_tmp_t, slapd_replog_t; - type slapd_lock_t, slapd_etc_t, slapd_runtime_t; - type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; - type slapd_db_t, slapd_keytab_t; - ') - - allow $1 slapd_t:process { ptrace signal_perms }; - ps_process_pattern($1, slapd_t) - - init_startstop_service($1, $2, slapd_t, slapd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) - - files_list_locks($1) - admin_pattern($1, slapd_lock_t) - - logging_list_logs($1) - admin_pattern($1, slapd_log_t) - - files_search_var_lib($1) - admin_pattern($1, slapd_replog_t) - - files_list_tmp($1) - admin_pattern($1, slapd_tmp_t) - - files_list_pids($1) - admin_pattern($1, slapd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ldap_admin'($*)) dnl - ') - - -######################################## -## -## Execute slapd in the slapd domain, and -## allow the given role the slapd_t type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`ldap_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ldap_run'($*)) dnl - - gen_require(` - type slapd_t; - type slapd_exec_t; - ') - - role $2 types slapd_t; - domtrans_pattern($1, slapd_exec_t, slapd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ldap_run'($*)) dnl - ') - -## TSS Core Services daemon. - -######################################## -## -## Execute a domain transition to run tcsd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tcsd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcsd_domtrans'($*)) dnl - - gen_require(` - type tcsd_t, tcsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tcsd_exec_t, tcsd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcsd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute tcsd init scripts in the -## initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tcsd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcsd_initrc_domtrans'($*)) dnl - - gen_require(` - type tcsd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, tcsd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcsd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Search tcsd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`tcsd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcsd_search_lib'($*)) dnl - - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 tcsd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcsd_search_lib'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## tcsd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`tcsd_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcsd_manage_lib_dirs'($*)) dnl - - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcsd_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Read tcsd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`tcsd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcsd_read_lib_files'($*)) dnl - - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcsd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## tcsd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`tcsd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcsd_manage_lib_files'($*)) dnl - - gen_require(` - type tcsd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcsd_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an tcsd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`tcsd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcsd_admin'($*)) dnl - - gen_require(` - type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; - ') - - allow $1 tcsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, tcsd_t) - - init_startstop_service($1, $2, tcsd_t, tcsd_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, tcsd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcsd_admin'($*)) dnl - ') - -## IEEE 802.11 wireless LAN Host AP daemon. -## Fibre Channel over Ethernet utilities. - -####################################### -## -## Send to fcoemon with a unix dgram socket. -## -## -## -## Domain allowed access. -## -## -# - define(`fcoe_dgram_send_fcoemon',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fcoe_dgram_send_fcoemon'($*)) dnl - - gen_require(` - type fcoemon_t, fcoemon_runtime_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, fcoemon_runtime_t, fcoemon_runtime_t, fcoemon_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fcoe_dgram_send_fcoemon'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an fcoemon environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`fcoe_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fcoe_admin'($*)) dnl - - gen_require(` - type fcoemon_t, fcoemon_initrc_exec_t, fcoemon_runtime_t; - ') - - allow $1 fcoemon_t:process { ptrace signal_perms }; - ps_process_pattern($1, fcoemon_t) - - init_startstop_service($1, $2, fcoemon_t, fcoemon_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, fcoemon_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fcoe_admin'($*)) dnl - ') - -## Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA. - -######################################## -## -## Execute realmd in the realmd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`realmd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `realmd_domtrans'($*)) dnl - - gen_require(` - type realmd_t, realmd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, realmd_exec_t, realmd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `realmd_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## realmd over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`realmd_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `realmd_dbus_chat'($*)) dnl - - gen_require(` - type realmd_t; - class dbus send_msg; - ') - - allow $1 realmd_t:dbus send_msg; - allow realmd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `realmd_dbus_chat'($*)) dnl - ') - -## Realtime scheduling for user processes. - -######################################## -## -## Execute a domain transition to run rtkit_daemon. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rtkit_daemon_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rtkit_daemon_domtrans'($*)) dnl - - gen_require(` - type rtkit_daemon_t, rtkit_daemon_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rtkit_daemon_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## rtkit_daemon over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`rtkit_daemon_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rtkit_daemon_dbus_chat'($*)) dnl - - gen_require(` - type rtkit_daemon_t; - class dbus send_msg; - ') - - allow $1 rtkit_daemon_t:dbus send_msg; - allow rtkit_daemon_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rtkit_daemon_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Allow rtkit to control scheduling for your process. -## -## -## -## Domain allowed access. -## -## -# - define(`rtkit_scheduled',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rtkit_scheduled'($*)) dnl - - gen_require(` - type rtkit_daemon_t; - ') - - allow rtkit_daemon_t $1:process { getsched setsched }; - - kernel_search_proc($1) - ps_process_pattern(rtkit_daemon_t, $1) - - optional_policy(` - rtkit_daemon_dbus_chat($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rtkit_scheduled'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rtkit environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rtkit_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rtkit_admin'($*)) dnl - - gen_require(` - type rtkit_daemon_t, rtkit_daemon_initrc_exec_t; - ') - - allow $1 rtkit_daemon_t:process { ptrace signal_perms }; - ps_process_pattern($1, rtkit_daemon_t) - - init_startstop_service($1, $2, rtkit_daemon_t, rtkit_daemon_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rtkit_admin'($*)) dnl - ') - -## Policy framework for controlling privileges for system-wide services. - -######################################## -## -## Send and receive messages from -## policykit over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`policykit_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_dbus_chat'($*)) dnl - - gen_require(` - type policykit_t; - class dbus send_msg; - ') - - allow $1 policykit_t:dbus send_msg; - allow policykit_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## policykit auth over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`policykit_dbus_chat_auth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_dbus_chat_auth'($*)) dnl - - gen_require(` - type policykit_auth_t; - class dbus send_msg; - ') - - allow $1 policykit_auth_t:dbus send_msg; - allow policykit_auth_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_dbus_chat_auth'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run polkit_auth. -## -## -## -## Domain allowed to transition. -## -## -# - define(`policykit_domtrans_auth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_domtrans_auth'($*)) dnl - - gen_require(` - type policykit_auth_t, policykit_auth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_domtrans_auth'($*)) dnl - ') - - -######################################## -## -## Execute a policy_auth in the policy -## auth domain, and allow the specified -## role the policy auth domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`policykit_run_auth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_run_auth'($*)) dnl - - gen_require(` - attribute_role policykit_auth_roles; - ') - - policykit_domtrans_auth($1) - roleattribute $2 policykit_auth_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_run_auth'($*)) dnl - ') - - -####################################### -## -## Send generic signals to -## policykit auth. -## -## -## -## Domain allowed access. -## -## -# - define(`policykit_signal_auth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_signal_auth'($*)) dnl - - gen_require(` - type policykit_auth_t; - ') - - allow $1 policykit_auth_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_signal_auth'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run polkit grant. -## -## -## -## Domain allowed to transition. -## -## -# - define(`policykit_domtrans_grant',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_domtrans_grant'($*)) dnl - - gen_require(` - type policykit_grant_t, policykit_grant_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_domtrans_grant'($*)) dnl - ') - - -######################################## -## -## Execute a policy_grant in the policy -## grant domain, and allow the specified -## role the policy grant domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`policykit_run_grant',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_run_grant'($*)) dnl - - gen_require(` - attribute_role policykit_grant_roles; - ') - - policykit_domtrans_grant($1) - roleattribute $2 policykit_grant_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_run_grant'($*)) dnl - ') - - -######################################## -## -## Read policykit reload files. -## -## -## -## Domain allowed access. -## -## -# - define(`policykit_read_reload',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_read_reload'($*)) dnl - - gen_require(` - type policykit_reload_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, policykit_reload_t, policykit_reload_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_read_reload'($*)) dnl - ') - - -######################################## -## -## Read and write policykit reload files. -## -## -## -## Domain allowed access. -## -## -# - define(`policykit_rw_reload',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_rw_reload'($*)) dnl - - gen_require(` - type policykit_reload_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, policykit_reload_t, policykit_reload_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_rw_reload'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run polkit resolve. -## -## -## -## Domain allowed to transition. -## -## -# - define(`policykit_domtrans_resolve',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_domtrans_resolve'($*)) dnl - - gen_require(` - type policykit_resolve_t, policykit_resolve_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_domtrans_resolve'($*)) dnl - ') - - -######################################## -## -## Search policykit lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`policykit_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_search_lib'($*)) dnl - - gen_require(` - type policykit_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 policykit_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_search_lib'($*)) dnl - ') - - -######################################## -## -## Read policykit lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`policykit_read_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `policykit_read_lib'($*)) dnl - - gen_require(` - type policykit_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `policykit_read_lib'($*)) dnl - ') - -## DomainKeys Identified Mail milter. - -######################################## -## -## Allow a domain to talk to dkim via Unix domain socket -## -## -## -## Domain allowed access. -## -## -# - define(`dkim_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dkim_stream_connect'($*)) dnl - - gen_require(` - type dkim_milter_data_t, dkim_milter_t; - ') - - stream_connect_pattern($1, dkim_milter_data_t, dkim_milter_data_t, dkim_milter_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dkim_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an dkim environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dkim_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dkim_admin'($*)) dnl - - gen_require(` - type dkim_milter_t, dkim_milter_initrc_exec_t, dkim_milter_private_key_t; - type dkim_milter_data_t; - ') - - allow $1 dkim_milter_t:process { ptrace signal_perms }; - ps_process_pattern($1, dkim_milter_t) - - init_startstop_service($1, $2, dkim_milter_t, dkim_milter_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, dkim_milter_private_key_t) - - files_search_pids($1) - admin_pattern($1, dkim_milter_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dkim_admin'($*)) dnl - ') - -## Service for reporting kernel oopses to kerneloops.org. - -######################################## -## -## Execute a domain transition to run kerneloops. -## -## -## -## Domain allowed to transition. -## -## -# - define(`kerneloops_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerneloops_domtrans'($*)) dnl - - gen_require(` - type kerneloops_t, kerneloops_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerneloops_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## kerneloops over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`kerneloops_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerneloops_dbus_chat'($*)) dnl - - gen_require(` - type kerneloops_t; - class dbus send_msg; - ') - - allow $1 kerneloops_t:dbus send_msg; - allow kerneloops_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerneloops_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to Send and -## receive messages from kerneloops -## over dbus. -## -## -## -## Domain to not audit. -## -## -# - define(`kerneloops_dontaudit_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerneloops_dontaudit_dbus_chat'($*)) dnl - - gen_require(` - type kerneloops_t; - class dbus send_msg; - ') - - dontaudit $1 kerneloops_t:dbus send_msg; - dontaudit kerneloops_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerneloops_dontaudit_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kerneloops temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`kerneloops_manage_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerneloops_manage_tmp_files'($*)) dnl - - gen_require(` - type kerneloops_tmp_t; - ') - - files_search_tmp($1) - allow $1 kerneloops_tmp_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerneloops_manage_tmp_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an kerneloops environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`kerneloops_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerneloops_admin'($*)) dnl - - gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t; - type kerneloops_tmp_t; - ') - - allow $1 kerneloops_t:process { ptrace signal_perms }; - ps_process_pattern($1, kerneloops_t) - - init_startstop_service($1, $2, kerneloops_t, kerneloops_initrc_exec_t) - - files_search_tmp($1) - admin_pattern($1, kerneloops_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerneloops_admin'($*)) dnl - ') - -## OpenH.323 Voice-Over-IP Gatekeeper. - -######################################## -## -## All of the rules required to -## administrate an gatekeeper environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`gatekeeper_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gatekeeper_admin'($*)) dnl - - gen_require(` - type gatekeeper_t, gatekeeper_etc_t, gatekeeper_log_t; - type gatekeeper_runtime_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t; - ') - - allow $1 gatekeeper_t:process { ptrace signal_perms }; - ps_process_pattern($1, gatekeeper_t) - - init_startstop_service($1, $2, gatekeeper_t, gatekeeper_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, gatekeeper_etc_t) - - logging_search_logs($1) - admin_pattern($1, gatekeeper_log_t) - - files_search_tmp($1) - admin_pattern($1, gatekeeper_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, gatekeeper_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gatekeeper_admin'($*)) dnl - ') - -## Courier IMAP and POP3 email servers. - -####################################### -## -## The template to define a courier domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`courier_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_domain_template'($*)) dnl - - gen_require(` - attribute courier_domain; - ') - - ######################################## - # - # Declarations - # - - type courier_$1_t, courier_domain; - type courier_$1_exec_t; - init_daemon_domain(courier_$1_t, courier_$1_exec_t) - - ######################################## - # - # Policy - # - - can_exec(courier_$1_t, courier_$1_exec_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_domain_template'($*)) dnl - ') - - -######################################## -## -## Execute the courier authentication -## daemon with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`courier_domtrans_authdaemon',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_domtrans_authdaemon'($*)) dnl - - gen_require(` - type courier_authdaemon_t, courier_authdaemon_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_domtrans_authdaemon'($*)) dnl - ') - - -####################################### -## -## Connect to courier-authdaemon over -## a unix stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`courier_stream_connect_authdaemon',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_stream_connect_authdaemon'($*)) dnl - - gen_require(` - type courier_authdaemon_t, courier_runtime_t; - ') - - files_search_spool($1) - stream_connect_pattern($1, courier_runtime_t, courier_runtime_t, courier_authdaemon_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_stream_connect_authdaemon'($*)) dnl - ') - - -######################################## -## -## Execute the courier POP3 and IMAP -## server with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`courier_domtrans_pop',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_domtrans_pop'($*)) dnl - - gen_require(` - type courier_pop_t, courier_pop_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_domtrans_pop'($*)) dnl - ') - - -######################################## -## -## Read courier config files. -## -## -## -## Domain allowed access. -## -## -# - define(`courier_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_read_config'($*)) dnl - - gen_require(` - type courier_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, courier_etc_t, courier_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_read_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete courier -## spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`courier_manage_spool_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_manage_spool_dirs'($*)) dnl - - gen_require(` - type courier_spool_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, courier_spool_t, courier_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_manage_spool_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete courier -## spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`courier_manage_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_manage_spool_files'($*)) dnl - - gen_require(` - type courier_spool_t; - ') - - files_search_var($1) - manage_files_pattern($1, courier_spool_t, courier_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_manage_spool_files'($*)) dnl - ') - - -######################################## -## -## Read courier spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`courier_read_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_read_spool'($*)) dnl - - gen_require(` - type courier_spool_t; - ') - - files_search_var($1) - read_files_pattern($1, courier_spool_t, courier_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_read_spool'($*)) dnl - ') - - -######################################## -## -## Read and write courier spool pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`courier_rw_spool_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `courier_rw_spool_pipes'($*)) dnl - - gen_require(` - type courier_spool_t; - ') - - files_search_var($1) - allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `courier_rw_spool_pipes'($*)) dnl - ') - -## Network time protocol daemon. - -######################################## -## -## NTP stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_stub'($*)) dnl - - gen_require(` - type ntpd_t; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_stub'($*)) dnl - ') - - -######################################## -## -## Read ntp.conf -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_read_config'($*)) dnl - - gen_require(` - type ntp_conf_t; - ') - - allow $1 ntp_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_read_config'($*)) dnl - ') - - -######################################## -## -## Execute ntp server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ntp_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_domtrans'($*)) dnl - - gen_require(` - type ntpd_t, ntpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ntpd_exec_t, ntpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute ntp in the ntp domain, and -## allow the specified role the ntp domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ntp_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_run'($*)) dnl - - gen_require(` - attribute_role ntpd_roles; - ') - - ntp_domtrans($1) - roleattribute $2 ntpd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_run'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## ntpd over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_dbus_chat'($*)) dnl - - gen_require(` - type ntpd_t; - class dbus send_msg; - ') - - allow $1 ntpd_t:dbus send_msg; - allow ntpd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Execute ntpdate server in the ntpd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ntp_domtrans_ntpdate',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_domtrans_ntpdate'($*)) dnl - - gen_require(` - type ntpd_t, ntpdate_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ntpdate_exec_t, ntpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_domtrans_ntpdate'($*)) dnl - ') - - -######################################## -## -## Execute ntpd init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ntp_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_initrc_domtrans'($*)) dnl - - gen_require(` - type ntpd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read ntp conf files. -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_read_conf_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_read_conf_files'($*)) dnl - - gen_require(` - type ntp_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, ntp_conf_t, ntp_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_read_conf_files'($*)) dnl - ') - - -######################################## -## -## Read ntp drift files. -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_read_drift_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_read_drift_files'($*)) dnl - - gen_require(` - type ntp_drift_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, ntp_drift_t, ntp_drift_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_read_drift_files'($*)) dnl - ') - - -######################################## -## -## Read and write ntpd shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_rw_shm'($*)) dnl - - gen_require(` - type ntpd_t, ntpd_tmpfs_t; - ') - - allow $1 ntpd_t:shm rw_shm_perms; - list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_rw_shm'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to enable/disable ntpd unit -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_enabledisable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_enabledisable'($*)) dnl - - ifdef(`init_systemd',` - gen_require(` - type ntpd_unit_t; - class service { enable disable }; - ') - - allow $1 ntpd_unit_t:service { enable disable }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_enabledisable'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to start/stop ntpd unit -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_startstop',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_startstop'($*)) dnl - - ifdef(`init_systemd',` - gen_require(` - type ntpd_unit_t; - class service { start stop }; - ') - - allow $1 ntpd_unit_t:service { start stop }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_startstop'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get status of ntpd unit -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_status'($*)) dnl - - ifdef(`init_systemd',` - gen_require(` - type ntpd_unit_t; - class service status; - ') - - allow $1 ntpd_unit_t:service status; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_status'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ntp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ntp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_admin'($*)) dnl - - gen_require(` - type ntpd_t, ntpd_tmp_t, ntpd_log_t; - type ntpd_key_t, ntpd_pid_t, ntp_conf_t; - type ntpd_initrc_exec_t, ntp_drift_t; - type ntpd_unit_t; - ') - - allow $1 ntpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ntpd_t) - - init_startstop_service($1, $2, ntpd_t, ntpd_initrc_exec_t, ntpd_unit_t) - - files_list_etc($1) - admin_pattern($1, { ntpd_key_t ntp_conf_t }) - - logging_list_logs($1) - admin_pattern($1, ntpd_log_t) - - files_list_tmp($1) - admin_pattern($1, ntpd_tmp_t) - - files_list_var_lib($1) - admin_pattern($1, ntp_drift_t) - - files_list_pids($1) - admin_pattern($1, ntpd_pid_t) - - ntp_run($1, $2) - - ifdef(`init_systemd',` - gen_require(` - class dbus send_msg; - ') - - allow $1 ntpd_t:dbus send_msg; - allow ntpd_t $1:dbus send_msg; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_admin'($*)) dnl - ') - - -# This should be in an ifdef distro_gentoo but that is not allowed in if files - -######################################## -## -## Manage ntp(d) configuration. -## -## -## -## Domain allowed access. -## -## -# - define(`ntp_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ntp_manage_config'($*)) dnl - - gen_require(` - type ntp_conf_t; - ') - - manage_files_pattern($1, ntp_conf_t, ntp_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ntp_manage_config'($*)) dnl - ') - -## Certificate status monitor and PKI enrollment client. - -######################################## -## -## Execute a domain transition to run certmonger. -## -## -## -## Domain allowed to transition. -## -## -# - define(`certmonger_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmonger_domtrans'($*)) dnl - - gen_require(` - type certmonger_t, certmonger_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, certmonger_exec_t, certmonger_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmonger_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## certmonger over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`certmonger_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmonger_dbus_chat'($*)) dnl - - gen_require(` - type certmonger_t; - class dbus send_msg; - ') - - allow $1 certmonger_t:dbus send_msg; - allow certmonger_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmonger_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Execute certmonger server in -## the certmonger domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`certmonger_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmonger_initrc_domtrans'($*)) dnl - - gen_require(` - type certmonger_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, certmonger_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmonger_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read certmonger PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`certmonger_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmonger_read_pid_files'($*)) dnl - - gen_require(` - type certmonger_runtime_t; - ') - - files_search_pids($1) - allow $1 certmonger_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmonger_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Search certmonger lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`certmonger_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmonger_search_lib'($*)) dnl - - gen_require(` - type certmonger_var_lib_t; - ') - - allow $1 certmonger_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmonger_search_lib'($*)) dnl - ') - - -######################################## -## -## Read certmonger lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`certmonger_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmonger_read_lib_files'($*)) dnl - - gen_require(` - type certmonger_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmonger_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## certmonger lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`certmonger_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmonger_manage_lib_files'($*)) dnl - - gen_require(` - type certmonger_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmonger_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an certmonger environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`certmonger_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `certmonger_admin'($*)) dnl - - gen_require(` - type certmonger_t, certmonger_initrc_exec_t; - type certmonger_var_lib_t, certmonger_runtime_t; - ') - - ps_process_pattern($1, certmonger_t) - allow $1 certmonger_t:process { ptrace signal_perms }; - - init_startstop_service($1, $2, certmonger_t, certmonger_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, certmonger_var_lib_t) - - files_search_pids($1) - admin_pattern($1, certmonger_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `certmonger_admin'($*)) dnl - ') - -## W3C Markup Validator. -## Plymouth graphical boot. - -######################################## -## -## Execute a domain transition to run plymouthd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`plymouthd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_domtrans'($*)) dnl - - gen_require(` - type plymouthd_t, plymouthd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute plymouthd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_exec'($*)) dnl - - gen_require(` - type plymouthd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, plymouthd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_exec'($*)) dnl - ') - - -######################################## -## -## Connect to plymouthd using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_stream_connect'($*)) dnl - - gen_require(` - type plymouthd_t, plymouthd_spool_t; - ') - - files_search_spool($1) - stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_stream_connect'($*)) dnl - ') - - -######################################## -## -## Execute plymouth in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_exec_plymouth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_exec_plymouth'($*)) dnl - - gen_require(` - type plymouth_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, plymouth_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_exec_plymouth'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run plymouth. -## -## -## -## Domain allowed to transition. -## -## -# - define(`plymouthd_domtrans_plymouth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_domtrans_plymouth'($*)) dnl - - gen_require(` - type plymouth_t, plymouth_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, plymouth_exec_t, plymouth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_domtrans_plymouth'($*)) dnl - ') - - -######################################## -## -## Search plymouthd spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_search_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_search_spool'($*)) dnl - - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - allow $1 plymouthd_spool_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_search_spool'($*)) dnl - ') - - -######################################## -## -## Read plymouthd spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_read_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_read_spool_files'($*)) dnl - - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_read_spool_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## plymouthd spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_manage_spool_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_manage_spool_files'($*)) dnl - - gen_require(` - type plymouthd_spool_t; - ') - - files_search_spool($1) - manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_manage_spool_files'($*)) dnl - ') - - -######################################## -## -## Search plymouthd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_search_lib'($*)) dnl - - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 plymouthd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_search_lib'($*)) dnl - ') - - -######################################## -## -## Read plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_read_lib_files'($*)) dnl - - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Read and write plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_rw_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_rw_lib_files'($*)) dnl - - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_rw_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## plymouthd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_manage_lib_files'($*)) dnl - - gen_require(` - type plymouthd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Read plymouthd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_read_pid_files'($*)) dnl - - gen_require(` - type plymouthd_runtime_t; - ') - - files_search_pids($1) - allow $1 plymouthd_runtime_t:dir search_dir_perms; - allow $1 plymouthd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Delete the plymouthd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`plymouthd_delete_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_delete_pid_files'($*)) dnl - - gen_require(` - type plymouthd_runtime_t; - ') - - files_search_pids($1) - delete_files_pattern($1, plymouthd_runtime_t, plymouthd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_delete_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an plymouthd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`plymouthd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `plymouthd_admin'($*)) dnl - - gen_require(` - type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; - type plymouthd_runtime_t; - ') - - allow $1 plymouthd_t:process { ptrace signal_perms }; - read_files_pattern($1, plymouthd_t, plymouthd_t) - - files_search_spool($1) - admin_pattern($1, plymouthd_spool_t) - - files_search_var_lib($1) - admin_pattern($1, plymouthd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, plymouthd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `plymouthd_admin'($*)) dnl - ') - -## Internetwork email routing facility. - -######################################## -## -## Sendmail stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# - define(`sendmail_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_stub'($*)) dnl - - gen_require(` - type sendmail_t; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_stub'($*)) dnl - ') - - -######################################## -## -## Read and write sendmail unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`sendmail_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_rw_pipes'($*)) dnl - - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run sendmail. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sendmail_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_domtrans'($*)) dnl - - gen_require(` - type sendmail_t; - ') - - corecmd_search_bin($1) - mta_sendmail_domtrans($1, sendmail_t) - - allow sendmail_t $1:fd use; - allow sendmail_t $1:fifo_file rw_fifo_file_perms; - allow sendmail_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the sendmail program in the -## sendmail domain, and allow the -## specified role the sendmail domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sendmail_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_run'($*)) dnl - - gen_require(` - attribute_role sendmail_roles; - ') - - sendmail_domtrans($1) - roleattribute $2 sendmail_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_run'($*)) dnl - ') - - -######################################## -## -## Send generic signals to sendmail. -## -## -## -## Domain allowed access. -## -## -# - define(`sendmail_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_signal'($*)) dnl - - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_signal'($*)) dnl - ') - - -######################################## -## -## Read and write sendmail TCP sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`sendmail_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_rw_tcp_sockets'($*)) dnl - - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## sendmail TCP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`sendmail_dontaudit_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_dontaudit_rw_tcp_sockets'($*)) dnl - - gen_require(` - type sendmail_t; - ') - - dontaudit $1 sendmail_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_dontaudit_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write sendmail unix -## domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`sendmail_rw_unix_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_rw_unix_stream_sockets'($*)) dnl - - gen_require(` - type sendmail_t; - ') - - allow $1 sendmail_t:unix_stream_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_rw_unix_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## sendmail unix_stream_sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`sendmail_dontaudit_rw_unix_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_dontaudit_rw_unix_stream_sockets'($*)) dnl - - gen_require(` - type sendmail_t; - ') - - dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_dontaudit_rw_unix_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Read sendmail log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sendmail_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_read_log'($*)) dnl - - gen_require(` - type sendmail_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, sendmail_log_t, sendmail_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_read_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## sendmail log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sendmail_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_manage_log'($*)) dnl - - gen_require(` - type sendmail_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, sendmail_log_t, sendmail_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_manage_log'($*)) dnl - ') - - -######################################## -## -## Create specified objects in generic -## log directories sendmail log file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`sendmail_log_filetrans_sendmail_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_log_filetrans_sendmail_log'($*)) dnl - - gen_require(` - type sendmail_log_t; - ') - - logging_log_filetrans($1, sendmail_log_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_log_filetrans_sendmail_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## sendmail tmp files. -## -## -## -## Domain allowed access. -## -## -# - define(`sendmail_manage_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_manage_tmp_files'($*)) dnl - - gen_require(` - type sendmail_tmp_t; - ') - - files_search_tmp($1) - manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_manage_tmp_files'($*)) dnl - ') - - -######################################## -## -## Execute sendmail in the unconfined sendmail domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sendmail_domtrans_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_domtrans_unconfined'($*)) dnl - - gen_require(` - type unconfined_sendmail_t; - ') - - mta_sendmail_domtrans($1, unconfined_sendmail_t) - - allow unconfined_sendmail_t $1:fd use; - allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms; - allow unconfined_sendmail_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_domtrans_unconfined'($*)) dnl - ') - - -######################################## -## -## Execute sendmail in the unconfined -## sendmail domain, and allow the -## specified role the unconfined -## sendmail domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sendmail_run_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_run_unconfined'($*)) dnl - - gen_require(` - attribute_role sendmail_unconfined_roles; - ') - - sendmail_domtrans_unconfined($1) - roleattribute $2 sendmail_unconfined_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_run_unconfined'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an sendmail environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sendmail_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sendmail_admin'($*)) dnl - - gen_require(` - type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; - type sendmail_tmp_t, sendmail_runtime_t, unconfined_sendmail_t; - type sendmail_keytab_t; - ') - - allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { unconfined_sendmail_t sendmail_t }) - - init_startstop_service($1, $2, sendmail_t, sendmail_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, sendmail_keytab_t) - - logging_list_logs($1) - admin_pattern($1, sendmail_log_t) - - files_list_tmp($1) - admin_pattern($1, sendmail_tmp_t) - - files_list_pids($1) - admin_pattern($1, sendmail_runtime_t) - - sendmail_run($1, $2) - sendmail_run_unconfined($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sendmail_admin'($*)) dnl - ') - -## Policy for NIS (YP) servers and clients. - -######################################## -## -## Use the ypbind service to access NIS services -## unconditionally. -## -## -##

-## Use the ypbind service to access NIS services -## unconditionally. -##

-##

-## This interface was added because of apache and -## spamassassin, to fix a nested conditionals problem. -## When that support is added, this should be removed, -## and the regular interface should be used. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`nis_use_ypbind_uncond',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_use_ypbind_uncond'($*)) dnl - - gen_require(` - type var_yp_t; - ') - - allow $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - allow $1 var_yp_t:dir list_dir_perms; - allow $1 var_yp_t:file read_file_perms; - allow $1 var_yp_t:lnk_file read_lnk_file_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_bind_generic_node($1) - corenet_udp_bind_generic_node($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) - corenet_dontaudit_tcp_bind_all_reserved_ports($1) - corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) - corenet_tcp_connect_reserved_port($1) - corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_ports($1) - corenet_sendrecv_portmap_client_packets($1) - corenet_sendrecv_generic_client_packets($1) - corenet_sendrecv_generic_server_packets($1) - - sysnet_read_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_use_ypbind_uncond'($*)) dnl - ') - - -######################################## -## -## Use the ypbind service to access NIS services. -## -## -##

-## Allow the specified domain to use the ypbind service -## to access Network Information Service (NIS) services. -## Information that can be retreived from NIS includes -## usernames, passwords, home directories, and groups. -## If the network is configured to have a single sign-on -## using NIS, it is likely that any program that does -## authentication will need this access. -##

-## -## -## -## Domain allowed access. -## -## -## -## -# - define(`nis_use_ypbind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_use_ypbind'($*)) dnl - - tunable_policy(`allow_ypbind',` - nis_use_ypbind_uncond($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_use_ypbind'($*)) dnl - ') - - -######################################## -## -## Use nis to authenticate passwords. -## -## -## -## Domain allowed access. -## -## -## -# - define(`nis_authenticate',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_authenticate'($*)) dnl - - tunable_policy(`allow_ypbind',` - nis_use_ypbind_uncond($1) - corenet_tcp_bind_all_rpc_ports($1) - corenet_udp_bind_all_rpc_ports($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_authenticate'($*)) dnl - ') - - -######################################## -## -## Execute ypbind in the ypbind domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nis_domtrans_ypbind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_domtrans_ypbind'($*)) dnl - - gen_require(` - type ypbind_t, ypbind_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ypbind_exec_t, ypbind_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_domtrans_ypbind'($*)) dnl - ') - - -####################################### -## -## Execute ypbind in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`nis_exec_ypbind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_exec_ypbind'($*)) dnl - - gen_require(` - type ypbind_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ypbind_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_exec_ypbind'($*)) dnl - ') - - -######################################## -## -## Execute ypbind in the ypbind domain, and -## allow the specified role the ypbind domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`nis_run_ypbind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_run_ypbind'($*)) dnl - - gen_require(` - attribute_role ypbind_roles; - ') - - nis_domtrans_ypbind($1) - roleattribute $2 ypbind_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_run_ypbind'($*)) dnl - ') - - -######################################## -## -## Send generic signals to ypbind. -## -## -## -## Domain allowed access. -## -## -# - define(`nis_signal_ypbind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_signal_ypbind'($*)) dnl - - gen_require(` - type ypbind_t; - ') - - allow $1 ypbind_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_signal_ypbind'($*)) dnl - ') - - -######################################## -## -## List nis data directories. -## -## -## -## Domain allowed access. -## -## -# - define(`nis_list_var_yp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_list_var_yp'($*)) dnl - - gen_require(` - type var_yp_t; - ') - - files_search_var($1) - allow $1 var_yp_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_list_var_yp'($*)) dnl - ') - - -######################################## -## -## Read ypbind pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`nis_read_ypbind_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_read_ypbind_pid'($*)) dnl - - gen_require(` - type ypbind_runtime_t; - ') - - files_search_pids($1) - allow $1 ypbind_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_read_ypbind_pid'($*)) dnl - ') - - -######################################## -## -## Delete ypbind pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`nis_delete_ypbind_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_delete_ypbind_pid'($*)) dnl - - gen_require(` - type ypbind_runtime_t; - ') - - allow $1 ypbind_runtime_t:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_delete_ypbind_pid'($*)) dnl - ') - - -######################################## -## -## Read ypserv configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`nis_read_ypserv_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_read_ypserv_config'($*)) dnl - - gen_require(` - type ypserv_conf_t; - ') - - files_search_etc($1) - allow $1 ypserv_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_read_ypserv_config'($*)) dnl - ') - - -######################################## -## -## Execute ypxfr in the ypxfr domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nis_domtrans_ypxfr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_domtrans_ypxfr'($*)) dnl - - gen_require(` - type ypxfr_t, ypxfr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_domtrans_ypxfr'($*)) dnl - ') - - -######################################## -## -## Execute nis init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# -# - define(`nis_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_initrc_domtrans'($*)) dnl - - gen_require(` - type nis_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nis_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute ypbind init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nis_initrc_domtrans_ypbind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_initrc_domtrans_ypbind'($*)) dnl - - gen_require(` - type ypbind_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, ypbind_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_initrc_domtrans_ypbind'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an nis environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`nis_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nis_admin'($*)) dnl - - gen_require(` - type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; - type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; - type ypbind_runtime_t, yppasswdd_runtime_t, ypserv_runtime_t; - type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t; - ') - - allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t }) - - init_startstop_service($1, $2, ypbind_t, ypbind_initrc_exec_t) - init_startstop_service($1, $2, ypserv_t, nis_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) - - files_list_pids($1) - admin_pattern($1, { ypserv_runtime_t ypbind_runtime_t yppasswdd_runtime_t }) - - files_list_etc($1) - admin_pattern($1, ypserv_conf_t) - - files_search_var($1) - admin_pattern($1, var_yp_t) - - nis_run_ypbind($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nis_admin'($*)) dnl - ') - -## Dictionary server for the SKK Japanese input method system. -## Layer 2 Tunneling Protocol. - -######################################## -## -## Send to l2tpd with a unix -## domain dgram socket. -## -## -## -## Domain allowed access. -## -## -# - define(`l2tpd_dgram_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `l2tpd_dgram_send'($*)) dnl - - gen_require(` - type l2tpd_t, l2tpd_tmp_t, l2tpd_runtime_t; - ') - - files_search_pids($1) - files_search_tmp($1) - dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_runtime_t }, { l2tpd_tmp_t l2tpd_runtime_t }, l2tpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `l2tpd_dgram_send'($*)) dnl - ') - - -######################################## -## -## Read and write l2tpd sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`l2tpd_rw_socket',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `l2tpd_rw_socket'($*)) dnl - - gen_require(` - type l2tpd_t; - ') - - allow $1 l2tpd_t:socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `l2tpd_rw_socket'($*)) dnl - ') - - -##################################### -## -## Connect to l2tpd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`l2tpd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `l2tpd_stream_connect'($*)) dnl - - gen_require(` - type l2tpd_t, l2tpd_runtime_t, l2tpd_tmp_t; - ') - - files_search_pids($1) - files_search_tmp($1) - stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_runtime_t }, { l2tpd_tmp_t l2tpd_runtime_t }, l2tpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `l2tpd_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an l2tp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`l2tp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `l2tp_admin'($*)) dnl - - gen_require(` - type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_runtime_t; - type l2tp_conf_t, l2tpd_tmp_t; - ') - - allow $1 l2tpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, l2tpd_t) - - init_startstop_service($1, $2, l2tpd_t, l2tpd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, l2tp_conf_t) - - files_search_pids($1) - admin_pattern($1, l2tpd_runtime_t) - - files_search_tmp($1) - admin_pattern($1, l2tpd_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `l2tp_admin'($*)) dnl - ') - -## Authoritative only name server. - -######################################## -## -## All of the rules required to -## administrate an nsd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`nsd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nsd_admin'($*)) dnl - - gen_require(` - type nsd_t, nsd_conf_t, nsd_runtime_t; - type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t; - ') - - allow $1 nsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nsd_t) - - init_startstop_service($1, $2, nsd_t, nsd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, { nsd_conf_t nsd_db_t }) - - files_search_var_lib($1) - admin_pattern($1, nsd_zone_t) - - files_list_pids($1) - admin_pattern($1, nsd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nsd_admin'($*)) dnl - ') - -## Open source wiki package written in PHP. -## Varnishd http accelerator daemon. - -####################################### -## -## Execute varnishd in the varnishd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`varnishd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_domtrans'($*)) dnl - - gen_require(` - type varnishd_t, varnishd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, varnishd_exec_t, varnishd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_domtrans'($*)) dnl - ') - - -####################################### -## -## Execute varnishd in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`varnishd_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_exec'($*)) dnl - - gen_require(` - type varnishd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, varnishd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_exec'($*)) dnl - ') - - -###################################### -## -## Read varnishd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`varnishd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_read_config'($*)) dnl - - gen_require(` - type varnishd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_read_config'($*)) dnl - ') - - -##################################### -## -## Read varnish lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`varnishd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_read_lib_files'($*)) dnl - - gen_require(` - type varnishd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_read_lib_files'($*)) dnl - ') - - -####################################### -## -## Read varnish log files. -## -## -## -## Domain allowed access. -## -## -# - define(`varnishd_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_read_log'($*)) dnl - - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, varnishlog_log_t, varnishlog_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_read_log'($*)) dnl - ') - - -###################################### -## -## Append varnish log files. -## -## -## -## Domain allowed access. -## -## -# - define(`varnishd_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_append_log'($*)) dnl - - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, varnishlog_log_t, varnishlog_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_append_log'($*)) dnl - ') - - -##################################### -## -## Create, read, write, and delete -## varnish log files. -## -## -## -## Domain allowed access. -## -## -# - define(`varnishd_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_manage_log'($*)) dnl - - gen_require(` - type varnishlog_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_manage_log'($*)) dnl - ') - - -###################################### -## -## All of the rules required to -## administrate an varnishlog environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`varnishd_admin_varnishlog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_admin_varnishlog'($*)) dnl - - gen_require(` - type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; - type varnishlog_runtime_t; - ') - - allow $1 varnishlog_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishlog_t) - - init_startstop_service($1, $2, varnishlog_t, varnishlog_initrc_exec_t) - - files_list_pids($1) - admin_pattern($1, varnishlog_runtime_t) - - logging_list_logs($1) - admin_pattern($1, varnishlog_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_admin_varnishlog'($*)) dnl - ') - - -####################################### -## -## All of the rules required to -## administrate an varnishd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`varnishd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `varnishd_admin'($*)) dnl - - gen_require(` - type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; - type varnishd_runtime_t, varnishd_tmp_t; - type varnishd_initrc_exec_t; - ') - - allow $1 varnishd_t:process { ptrace signal_perms }; - ps_process_pattern($1, varnishd_t) - - init_startstop_service($1, $2, varnishd_t, varnishd_initrc_exec_t) - - files_list_var_lib($1) - admin_pattern($1, varnishd_var_lib_t) - - files_list_etc($1) - admin_pattern($1, varnishd_etc_t) - - files_list_pids($1) - admin_pattern($1, varnishd_runtime_t) - - files_list_tmp($1) - admin_pattern($1, varnishd_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `varnishd_admin'($*)) dnl - ') - -## Zebra border gateway protocol network routing service. - -######################################## -## -## Read zebra configuration content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`zebra_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zebra_read_config'($*)) dnl - - gen_require(` - type zebra_conf_t; - ') - - files_search_etc($1) - allow $1 zebra_conf_t:dir list_dir_perms; - allow $1 zebra_conf_t:file read_file_perms; - allow $1 zebra_conf_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zebra_read_config'($*)) dnl - ') - - -######################################## -## -## Connect to zebra with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`zebra_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zebra_stream_connect'($*)) dnl - - gen_require(` - type zebra_t, zebra_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, zebra_runtime_t, zebra_runtime_t, zebra_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zebra_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an zebra environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`zebra_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zebra_admin'($*)) dnl - - gen_require(` - type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_runtime_t; - type zebra_initrc_exec_t; - ') - - allow $1 zebra_t:process { ptrace signal_perms }; - ps_process_pattern($1, zebra_t) - - init_startstop_service($1, $2, zebra_t, zebra_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, zebra_conf_t) - - logging_list_logs($1) - admin_pattern($1, zebra_log_t) - - files_list_tmp($1) - admin_pattern($1, zebra_tmp_t) - - files_list_pids($1) - admin_pattern($1, zebra_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zebra_admin'($*)) dnl - ') - -## Cyphesis WorldForge game server. - -######################################## -## -## Execute a domain transition to run cyphesis. -## -## -## -## Domain allowed to transition. -## -## -# - define(`cyphesis_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cyphesis_domtrans'($*)) dnl - - gen_require(` - type cyphesis_t, cyphesis_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cyphesis_exec_t, cyphesis_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cyphesis_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an cyphesis environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cyphesis_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cyphesis_admin'($*)) dnl - - gen_require(` - type cyphesis_t, cyphesis_initrc_exec_t, cyphesis_log_t; - type cyphesis_runtime_t, cyphesis_tmp_t; - ') - - allow $1 cyphesis_t:process { ptrace signal_perms }; - ps_process_pattern($1, cyphesis_t) - - init_startstop_service($1, $2, cyphesis_t, cyphesis_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, cyphesis_log_t) - - files_search_pids($1) - admin_pattern($1, cyphesis_runtime_t) - - files_search_tmp($1) - admin_pattern($1, cyphesis_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cyphesis_admin'($*)) dnl - ') - -## Small and secure DNS daemon. - -####################################### -## -## The template to define a djbdns domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`djbdns_daemontools_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `djbdns_daemontools_domain_template'($*)) dnl - - gen_require(` - attribute djbdns_domain; - ') - - ######################################## - # - # Declarations - # - - type djbdns_$1_t, djbdns_domain; - type djbdns_$1_exec_t; - domain_type(djbdns_$1_t) - domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t) - role system_r types djbdns_$1_t; - - type djbdns_$1_conf_t; - files_config_file(djbdns_$1_conf_t) - - ######################################## - # - # Local policy - # - - daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) - daemontools_read_svc(djbdns_$1_t) - - allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; - allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `djbdns_daemontools_domain_template'($*)) dnl - ') - - -##################################### -## -## Search djbdns-tinydns key ring. -## -## -## -## Domain allowed access. -## -## -# - define(`djbdns_search_tinydns_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `djbdns_search_tinydns_keys'($*)) dnl - - gen_require(` - type djbdns_tinydns_t; - ') - - allow $1 djbdns_tinydns_t:key search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `djbdns_search_tinydns_keys'($*)) dnl - ') - - -##################################### -## -## Link djbdns-tinydns key ring. -## -## -## -## Domain allowed access. -## -## -# - define(`djbdns_link_tinydns_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `djbdns_link_tinydns_keys'($*)) dnl - - gen_require(` - type djbdns_tinydns_t; - ') - - allow $1 djbdns_tinydns_t:key link; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `djbdns_link_tinydns_keys'($*)) dnl - ') - -## Network UPS Tools - -######################################## -## -## All of the rules required to -## administrate an nut environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`nut_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nut_admin'($*)) dnl - - gen_require(` - attribute nut_domain; - type nut_initrc_exec_t, nut_runtime_t, nut_conf_t; - ') - - allow $1 nut_domain:process { ptrace signal_perms }; - ps_process_pattern($1, nut_domain) - - init_startstop_service($1, $2, nut_domain, nut_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, nut_conf_t) - - files_search_pids($1) - admin_pattern($1, nut_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nut_admin'($*)) dnl - ') - -## MIT Kerberos admin and KDC. - -######################################## -## -## Execute kadmind in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`kerberos_exec_kadmind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_exec_kadmind'($*)) dnl - - gen_require(` - type kadmind_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, kadmind_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_exec_kadmind'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run kpropd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`kerberos_domtrans_kpropd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_domtrans_kpropd'($*)) dnl - - gen_require(` - type kpropd_t, kpropd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kpropd_exec_t, kpropd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_domtrans_kpropd'($*)) dnl - ') - - -######################################## -## -## Support kerberos services. -## -## -## -## Domain allowed access. -## -## -# - define(`kerberos_use',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_use'($*)) dnl - - gen_require(` - type krb5kdc_conf_t, krb5_host_rcache_t, krb5_conf_t; - ') - - kerberos_read_config($1) - - dontaudit $1 krb5_conf_t:file write_file_perms; - dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; - dontaudit $1 krb5kdc_conf_t:file rw_file_perms; - - dontaudit $1 self:process setfscreate; - - selinux_dontaudit_validate_context($1) - seutil_dontaudit_read_file_contexts($1) - - tunable_policy(`allow_kerberos',` - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - - corenet_sendrecv_kerberos_client_packets($1) - corenet_tcp_connect_kerberos_port($1) - - corenet_sendrecv_ocsp_client_packets($1) - corenet_tcp_connect_ocsp_port($1) - - allow $1 krb5_host_rcache_t:file getattr_file_perms; - ') - - optional_policy(` - tunable_policy(`allow_kerberos',` - pcscd_stream_connect($1) - ') - ') - - optional_policy(` - sssd_read_public_files($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_use'($*)) dnl - ') - - -######################################## -## -## Read kerberos configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kerberos_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_read_config'($*)) dnl - - gen_require(` - type krb5_conf_t, krb5_home_t; - ') - - files_search_etc($1) - allow $1 krb5_conf_t:file read_file_perms; - - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_read_config'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write -## kerberos configuration files. -## -## -## -## Domain to not audit. -## -## -# - define(`kerberos_dontaudit_write_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_dontaudit_write_config'($*)) dnl - - gen_require(` - type krb5_conf_t; - ') - - dontaudit $1 krb5_conf_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_dontaudit_write_config'($*)) dnl - ') - - -######################################## -## -## Read and write kerberos -## configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kerberos_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_rw_config'($*)) dnl - - gen_require(` - type krb5_conf_t; - ') - - files_search_etc($1) - allow $1 krb5_conf_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_rw_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kerberos home files. -## -## -## -## Domain allowed access. -## -## -# - define(`kerberos_manage_krb5_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_manage_krb5_home_files'($*)) dnl - - gen_require(` - type krb5_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_manage_krb5_home_files'($*)) dnl - ') - - -######################################## -## -## Relabel kerberos home files. -## -## -## -## Domain allowed access. -## -## -# - define(`kerberos_relabel_krb5_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_relabel_krb5_home_files'($*)) dnl - - gen_require(` - type krb5_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_relabel_krb5_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the krb5 home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`kerberos_home_filetrans_krb5_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_home_filetrans_krb5_home'($*)) dnl - - gen_require(` - type krb5_home_t; - ') - - userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_home_filetrans_krb5_home'($*)) dnl - ') - - -######################################## -## -## Read kerberos key table files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kerberos_read_keytab',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_read_keytab'($*)) dnl - - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_read_keytab'($*)) dnl - ') - - -######################################## -## -## Read and write kerberos key table files. -## -## -## -## Domain allowed access. -## -## -# - define(`kerberos_rw_keytab',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_rw_keytab'($*)) dnl - - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_rw_keytab'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kerberos key table files. -## -## -## -## Domain allowed access. -## -## -# - define(`kerberos_manage_keytab_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_manage_keytab_files'($*)) dnl - - gen_require(` - type krb5_keytab_t; - ') - - files_search_etc($1) - allow $1 krb5_keytab_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_manage_keytab_files'($*)) dnl - ') - - -######################################## -## -## Create specified objects in generic -## etc directories with the kerberos -## keytab file type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`kerberos_etc_filetrans_keytab',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_etc_filetrans_keytab'($*)) dnl - - gen_require(` - type krb5_keytab_t; - ') - - files_etc_filetrans($1, krb5_keytab_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_etc_filetrans_keytab'($*)) dnl - ') - - -######################################## -## -## Read kerberos kdc configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kerberos_read_kdc_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_read_kdc_config'($*)) dnl - - gen_require(` - type krb5kdc_conf_t; - ') - - files_search_etc($1) - read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_read_kdc_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## kerberos host rcache files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`kerberos_manage_host_rcache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_manage_host_rcache'($*)) dnl - - gen_require(` - type krb5_host_rcache_t; - ') - - domain_obj_id_change_exemption($1) - - tunable_policy(`allow_kerberos',` - allow $1 self:process setfscreate; - - selinux_validate_context($1) - - seutil_read_file_contexts($1) - - files_search_tmp($1) - allow $1 krb5_host_rcache_t:file manage_file_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_manage_host_rcache'($*)) dnl - ') - - -######################################## -## -## Create objects in generic temporary -## directories with the kerberos host -## rcache type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`kerberos_tmp_filetrans_host_rcache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_tmp_filetrans_host_rcache'($*)) dnl - - gen_require(` - type krb5_host_rcache_t; - ') - - files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_tmp_filetrans_host_rcache'($*)) dnl - ') - - -######################################## -## -## Connect to krb524 service. -## -## -## -## Domain allowed access. -## -## -# - define(`kerberos_connect_524',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_connect_524'($*)) dnl - - tunable_policy(`allow_kerberos',` - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_udp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_node($1) - - corenet_sendrecv_kerberos_master_client_packets($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_connect_524'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an kerberos environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`kerberos_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `kerberos_admin'($*)) dnl - - gen_require(` - type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_runtime_t; - type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; - type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; - type krb5kdc_runtime_t, krb5_host_rcache_t; - ') - - allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t }) - - init_startstop_service($1, $2, { kadmind_t krb5kdc_t }, kerberos_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, kadmind_log_t) - - files_list_tmp($1) - admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t }) - - kerberos_tmp_filetrans_host_rcache($1, file, "host_0") - kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") - kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") - kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") - kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") - kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") - kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") - kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") - - files_list_pids($1) - admin_pattern($1, { kadmind_runtime_t krb5kdc_runtime_t }) - - files_list_etc($1) - admin_pattern($1, krb5_conf_t) - - files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") - - admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) - - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") - - kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `kerberos_admin'($*)) dnl - ') - -## Local LDAP name service daemon. - -######################################## -## -## Execute a domain transition to run nslcd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nslcd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nslcd_domtrans'($*)) dnl - - gen_require(` - type nslcd_t, nslcd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nslcd_exec_t, nslcd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nslcd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute nslcd server in the nslcd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`nslcd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nslcd_initrc_domtrans'($*)) dnl - - gen_require(` - type nslcd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, nslcd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nslcd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read nslcd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`nslcd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nslcd_read_pid_files'($*)) dnl - - gen_require(` - type nslcd_runtime_t; - ') - - files_search_pids($1) - allow $1 nslcd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nslcd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to nslcd over an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`nslcd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nslcd_stream_connect'($*)) dnl - - gen_require(` - type nslcd_t, nslcd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, nslcd_runtime_t, nslcd_runtime_t, nslcd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nslcd_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an nslcd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`nslcd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nslcd_admin'($*)) dnl - - gen_require(` - type nslcd_t, nslcd_initrc_exec_t, nslcd_runtime_t; - type nslcd_conf_t; - ') - - allow $1 nslcd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nslcd_t) - - init_startstop_service($1, $2, nslcd_t, nslcd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, nslcd_conf_t) - - files_search_pids($1) - admin_pattern($1, nslcd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nslcd_admin'($*)) dnl - ') - -## Multilayer virtual switch. - -######################################## -## -## Execute openvswitch in the openvswitch domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`openvswitch_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvswitch_domtrans'($*)) dnl - - gen_require(` - type openvswitch_t, openvswitch_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvswitch_domtrans'($*)) dnl - ') - - -######################################## -## -## Read openvswitch pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`openvswitch_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvswitch_read_pid_files'($*)) dnl - - gen_require(` - type openvswitch_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, openvswitch_runtime_t, openvswitch_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvswitch_read_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an openvswitch environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`openvswitch_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openvswitch_admin'($*)) dnl - - gen_require(` - type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t; - type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_runtime_t; - ') - - allow $1 openvswitch_t:process { ptrace signal_perms }; - ps_process_pattern($1, openvswitch_t) - - init_startstop_service($1, $2, openvswitch_t, openvswitch_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, openvswitch_conf_t) - - files_search_var_lib($1) - admin_pattern($1, openvswitch_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, openvswitch_log_t) - - files_search_pids($1) - admin_pattern($1, openvswitch_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openvswitch_admin'($*)) dnl - ') - -## Rshd, rlogind, and telnetd. - -######################################## -## -## Domain transition to the remote login domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`remotelogin_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `remotelogin_domtrans'($*)) dnl - - gen_require(` - type remote_login_t; - ') - - corecmd_search_bin($1) - auth_domtrans_login_program($1, remote_login_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `remotelogin_domtrans'($*)) dnl - ') - - -######################################## -## -## Send generic signals to remote login. -## -## -## -## Domain allowed access. -## -## -# - define(`remotelogin_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `remotelogin_signal'($*)) dnl - - gen_require(` - type remote_login_t; - ') - - allow $1 remote_login_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `remotelogin_signal'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## remote login temporary content. -## -## -## -## Domain allowed access. -## -## -# - define(`remotelogin_manage_tmp_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `remotelogin_manage_tmp_content'($*)) dnl - - gen_require(` - type remote_login_tmp_t; - ') - - files_search_tmp($1) - allow $1 remote_login_tmp_t:dir manage_dir_perms; - allow $1 remote_login_tmp_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `remotelogin_manage_tmp_content'($*)) dnl - ') - - -######################################## -## -## Relabel remote login temporary content. -## -## -## -## Domain allowed access. -## -## -# - define(`remotelogin_relabel_tmp_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `remotelogin_relabel_tmp_content'($*)) dnl - - gen_require(` - type remote_login_tmp_t; - ') - - files_search_tmp($1) - allow $1 remote_login_tmp_t:dir relabel_dir_perms; - allow $1 remote_login_tmp_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `remotelogin_relabel_tmp_content'($*)) dnl - ') - -## Distributed infrastructure monitoring. - -######################################## -## -## Execute a domain transition to run zabbix. -## -## -## -## Domain allowed to transition. -## -## -# - define(`zabbix_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zabbix_domtrans'($*)) dnl - - gen_require(` - type zabbix_t, zabbix_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zabbix_exec_t, zabbix_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zabbix_domtrans'($*)) dnl - ') - - -######################################## -## -## Connect to zabbit on the TCP network. -## -## -## -## Domain allowed access. -## -## -# - define(`zabbix_tcp_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zabbix_tcp_connect'($*)) dnl - - gen_require(` - type zabbix_t; - ') - - corenet_sendrecv_zabbix_client_packets($1) - corenet_tcp_connect_zabbix_port($1) - corenet_tcp_recvfrom_labeled($1, zabbix_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zabbix_tcp_connect'($*)) dnl - ') - - -######################################## -## -## Read zabbix log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`zabbix_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zabbix_read_log'($*)) dnl - - gen_require(` - type zabbix_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, zabbix_log_t, zabbix_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zabbix_read_log'($*)) dnl - ') - - -######################################## -## -## Append zabbix log files. -## -## -## -## Domain allowed access. -## -## -# - define(`zabbix_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zabbix_append_log'($*)) dnl - - gen_require(` - type zabbix_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, zabbix_log_t, zabbix_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zabbix_append_log'($*)) dnl - ') - - -######################################## -## -## Read zabbix pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`zabbix_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zabbix_read_pid_files'($*)) dnl - - gen_require(` - type zabbix_runtime_t; - ') - - files_search_pids($1) - allow $1 zabbix_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zabbix_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Connect to zabbix agent on the TCP network. -## -## -## -## Domain allowed access. -## -## -# - define(`zabbix_agent_tcp_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zabbix_agent_tcp_connect'($*)) dnl - - gen_require(` - type zabbix_t; - ') - - corenet_sendrecv_zabbix_agent_client_packets($1) - corenet_tcp_connect_zabbix_agent_port($1) - corenet_tcp_recvfrom_labeled($1, zabbix_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zabbix_agent_tcp_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an zabbix environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`zabbix_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zabbix_admin'($*)) dnl - - gen_require(` - type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_runtime_t; - type zabbix_initrc_exec_t, zabbix_agent_initrc_exec_t, zabbix_tmp_t; - type zabbix_tmpfs_t; - ') - - allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { zabbix_t zabbix_agent_t }) - - init_startstop_service($1, $2, zabbix_t, zabbix_initrc_exec_t) - init_startstop_service($1, $2, zabbix_agent_t, zabbix_agent_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, zabbix_log_t) - - files_list_pids($1) - admin_pattern($1, zabbix_runtime_t) - - files_list_tmp($1) - admin_pattern($1, zabbix_tmp_t) - - fs_list_tmpfs($1) - admin_pattern($1, zabbix_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zabbix_admin'($*)) dnl - ') - -## KDE Talk daemon. -## Desktop messaging bus. - -######################################## -## -## DBUS stub interface. No access allowed. -## -## -## -## Domain allowed access -## -## -# - define(`dbus_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_stub'($*)) dnl - - gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_stub'($*)) dnl - ') - - -######################################## -## -## Execute dbus in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_exec'($*)) dnl - - gen_require(` - type dbusd_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, dbusd_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_exec'($*)) dnl - ') - - -######################################## -## -## Role access for dbus. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# - define(`dbus_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_role_template'($*)) dnl - - gen_require(` - class dbus { send_msg acquire_svc }; - attribute session_bus_type; - type system_dbusd_t, dbusd_exec_t; - type session_dbusd_tmp_t, session_dbusd_home_t; - ') - - ############################## - # - # Declarations - # - - type $1_dbusd_t, session_bus_type; - domain_type($1_dbusd_t) - domain_entry_file($1_dbusd_t, dbusd_exec_t) - ubac_constrained($1_dbusd_t) - - role $2 types $1_dbusd_t; - - ############################## - # - # Local policy - # - - allow $3 $1_dbusd_t:unix_stream_socket connectto; - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 $1_dbusd_t:fd use; - - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") - - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - - ps_process_pattern($3, $1_dbusd_t) - allow $3 $1_dbusd_t:process { ptrace signal_perms }; - - allow $1_dbusd_t $3:process sigkill; - - corecmd_bin_domtrans($1_dbusd_t, $3) - corecmd_shell_domtrans($1_dbusd_t, $3) - - auth_use_nsswitch($1_dbusd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; - ') - - ifdef(`distro_gentoo',` - optional_policy(` - xdg_read_data_home_files($1_dbusd_t) - ') - ') - - optional_policy(` - systemd_read_logind_pids($1_dbusd_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_role_template'($*)) dnl - ') - - -####################################### -## -## Template for creating connections to -## the system bus. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_system_bus_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_system_bus_client'($*)) dnl - - gen_require(` - attribute dbusd_system_bus_client; - type system_dbusd_t, system_dbusd_runtime_t, system_dbusd_var_lib_t; - class dbus send_msg; - ') - - typeattribute $1 dbusd_system_bus_client; - - allow $1 { system_dbusd_t self }:dbus send_msg; - allow system_dbusd_t $1:dbus send_msg; - - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t, system_dbusd_t) - - dbus_read_config($1) - - ifdef(`distro_gentoo',` - # The /var/lib/dbus/machine-id file is a link to /etc/machine-id - read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_system_bus_client'($*)) dnl - ') - - -####################################### -## -## Acquire service on all DBUS -## session busses. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_connect_all_session_bus',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_connect_all_session_bus'($*)) dnl - - gen_require(` - attribute session_bus_type; - class dbus acquire_svc; - ') - - allow $1 session_bus_type:dbus acquire_svc; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_connect_all_session_bus'($*)) dnl - ') - - -####################################### -## -## Acquire service on specified -## DBUS session bus. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_connect_spec_session_bus',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_connect_spec_session_bus'($*)) dnl - - gen_require(` - type $1_dbusd_t; - class dbus acquire_svc; - ') - - allow $2 $1_dbusd_t:dbus acquire_svc; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_connect_spec_session_bus'($*)) dnl - ') - - -####################################### -## -## Creating connections to all -## DBUS session busses. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_all_session_bus_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_all_session_bus_client'($*)) dnl - - gen_require(` - attribute session_bus_type, dbusd_session_bus_client; - class dbus send_msg; - ') - - typeattribute $1 dbusd_session_bus_client; - - allow $1 { session_bus_type self }:dbus send_msg; - allow session_bus_type $1:dbus send_msg; - - allow $1 session_bus_type:unix_stream_socket connectto; - allow $1 session_bus_type:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_all_session_bus_client'($*)) dnl - ') - - -####################################### -## -## Creating connections to specified -## DBUS session bus. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_spec_session_bus_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_spec_session_bus_client'($*)) dnl - - gen_require(` - attribute dbusd_session_bus_client; - type $1_dbusd_t; - class dbus send_msg; - ') - - typeattribute $2 dbusd_session_bus_client; - - allow $2 { $1_dbusd_t self }:dbus send_msg; - allow $1_dbusd_t $2:dbus send_msg; - - allow $2 $1_dbusd_t:unix_stream_socket connectto; - allow $2 $1_dbusd_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_spec_session_bus_client'($*)) dnl - ') - - -####################################### -## -## Send messages to all DBUS -## session busses. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_send_all_session_bus',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_send_all_session_bus'($*)) dnl - - gen_require(` - attribute session_bus_type; - class dbus send_msg; - ') - - allow $1 session_bus_type:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_send_all_session_bus'($*)) dnl - ') - - -####################################### -## -## Send messages to specified -## DBUS session busses. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_send_spec_session_bus',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_send_spec_session_bus'($*)) dnl - - gen_require(` - type $1_dbusd_t; - class dbus send_msg; - ') - - allow $2 $1_dbusd_t:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_send_spec_session_bus'($*)) dnl - ') - - -######################################## -## -## Read dbus configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_read_config'($*)) dnl - - gen_require(` - type dbusd_etc_t; - ') - - allow $1 dbusd_etc_t:dir list_dir_perms; - allow $1 dbusd_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_read_config'($*)) dnl - ') - - -######################################## -## -## Read system dbus lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_read_lib_files'($*)) dnl - - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Relabel system dbus lib directory. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_relabel_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_relabel_lib_dirs'($*)) dnl - - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 system_dbusd_var_lib_t:dir { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_relabel_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## system dbus lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_manage_lib_files'($*)) dnl - - gen_require(` - type system_dbusd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Allow a application domain to be -## started by the specified session bus. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an -## entry point to this domain. -## -## -# - define(`dbus_all_session_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_all_session_domain'($*)) dnl - - gen_require(` - attribute session_bus_type; - ') - - domtrans_pattern(session_bus_type, $2, $1) - - dbus_all_session_bus_client($1) - dbus_connect_all_session_bus($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_all_session_domain'($*)) dnl - ') - - -######################################## -## -## Allow a application domain to be -## started by the specified session bus. -## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an -## entry point to this domain. -## -## -# - define(`dbus_spec_session_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_spec_session_domain'($*)) dnl - - gen_require(` - type $1_dbusd_t; - ') - - domtrans_pattern($1_dbusd_t, $3, $2) - - dbus_spec_session_bus_client($1, $2) - dbus_connect_spec_session_bus($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_spec_session_domain'($*)) dnl - ') - - -######################################## -## -## Acquire service on the DBUS system bus. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_connect_system_bus',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_connect_system_bus'($*)) dnl - - gen_require(` - type system_dbusd_t; - class dbus acquire_svc; - ') - - allow $1 system_dbusd_t:dbus acquire_svc; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_connect_system_bus'($*)) dnl - ') - - -######################################## -## -## Send messages to the DBUS system bus. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_send_system_bus',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_send_system_bus'($*)) dnl - - gen_require(` - type system_dbusd_t; - class dbus send_msg; - ') - - allow $1 system_dbusd_t:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_send_system_bus'($*)) dnl - ') - - -######################################## -## -## Unconfined access to DBUS system bus. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_system_bus_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_system_bus_unconfined'($*)) dnl - - gen_require(` - type system_dbusd_t; - class dbus { acquire_svc send_msg }; - ') - - allow $1 system_dbusd_t:dbus { acquire_svc send_msg }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_system_bus_unconfined'($*)) dnl - ') - - -######################################## -## -## Create a domain for processes which -## can be started by the DBUS system bus. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# - define(`dbus_system_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_system_domain'($*)) dnl - - gen_require(` - type system_dbusd_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(system_dbusd_t, $2, $1) - - dbus_system_bus_client($1) - dbus_connect_system_bus($1) - - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) - - ifdef(`init_systemd',` - init_daemon_domain($1, $2) - ') - - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_system_domain'($*)) dnl - ') - - -######################################## -## -## Use and inherit DBUS system bus -## file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_use_system_bus_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_use_system_bus_fds'($*)) dnl - - gen_require(` - type system_dbusd_t; - ') - - allow $1 system_dbusd_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_use_system_bus_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write DBUS system bus TCP sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`dbus_dontaudit_system_bus_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_system_bus_rw_tcp_sockets'($*)) dnl - - gen_require(` - type system_dbusd_t; - ') - - dontaudit $1 system_dbusd_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_dontaudit_system_bus_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Watch system bus runtime directories. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_watch_system_bus_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_watch_system_bus_runtime_dirs'($*)) dnl - - gen_require(` - type system_dbusd_runtime_t; - ') - - allow $1 system_dbusd_runtime_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_watch_system_bus_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Watch system bus runtime named sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_watch_system_bus_runtime_named_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_watch_system_bus_runtime_named_sockets'($*)) dnl - - gen_require(` - type system_dbusd_runtime_t; - ') - - allow $1 system_dbusd_runtime_t:sock_file watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_watch_system_bus_runtime_named_sockets'($*)) dnl - ') - - -######################################## -## -## Unconfined access to DBUS. -## -## -## -## Domain allowed access. -## -## -# - define(`dbus_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_unconfined'($*)) dnl - - gen_require(` - attribute dbusd_unconfined; - ') - - typeattribute $1 dbusd_unconfined; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_unconfined'($*)) dnl - ') - - -######################################## -## -## Create resources in /run or /var/run with the system_dbusd_runtime_t -## label. This method is deprecated in favor of the init_daemon_run_dir -## call. -## -## -## -## Domain allowed access -## -## -## -## -## Classes supported for the created resources -## -## -## -## -## Optional file name used for the resource -## -## -# - define(`dbus_generic_pid_filetrans_system_dbusd_var_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_generic_pid_filetrans_system_dbusd_var_run'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_generic_pid_filetrans_system_dbusd_var_run'($*)) dnl - ') - - -######################################## -## -## Create directories with the system_dbusd_runtime_t label -## -## -## -## Domain allowed access -## -## -# - define(`dbus_create_system_dbusd_var_run_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dbus_create_system_dbusd_var_run_dirs'($*)) dnl - - gen_require(` - type system_dbusd_runtime_t; - ') - - create_dirs_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dbus_create_system_dbusd_var_run_dirs'($*)) dnl - ') - - - -## System Security Services Daemon. - -####################################### -## -## Get attributes of sssd executable files. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_getattr_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_getattr_exec'($*)) dnl - - gen_require(` - type sssd_exec_t; - ') - - allow $1 sssd_exec_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_getattr_exec'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run sssd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sssd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_domtrans'($*)) dnl - - gen_require(` - type sssd_t, sssd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sssd_exec_t, sssd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute sssd init scripts in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sssd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_initrc_domtrans'($*)) dnl - - gen_require(` - type sssd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sssd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_initrc_domtrans'($*)) dnl - ') - - -####################################### -## -## Read sssd configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_read_config'($*)) dnl - - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) - read_files_pattern($1, sssd_conf_t, sssd_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_read_config'($*)) dnl - ') - - -###################################### -## -## Write sssd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_write_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_write_config'($*)) dnl - - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - write_files_pattern($1, sssd_conf_t, sssd_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_write_config'($*)) dnl - ') - - -#################################### -## -## Create, read, write, and delete -## sssd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_manage_config'($*)) dnl - - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - manage_files_pattern($1, sssd_conf_t, sssd_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_manage_config'($*)) dnl - ') - - -######################################## -## -## Read sssd public files. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_read_public_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_read_public_files'($*)) dnl - - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) - allow $1 sssd_public_t:dir list_dir_perms; - read_files_pattern($1, sssd_public_t, sssd_public_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_read_public_files'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## sssd public files. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_manage_public_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_manage_public_files'($*)) dnl - - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) - manage_files_pattern($1, sssd_public_t, sssd_public_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_manage_public_files'($*)) dnl - ') - - -######################################## -## -## Read sssd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_read_pid_files'($*)) dnl - - gen_require(` - type sssd_runtime_t; - ') - - files_search_pids($1) - allow $1 sssd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## sssd pid content. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_manage_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_manage_pids'($*)) dnl - - gen_require(` - type sssd_runtime_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, sssd_runtime_t, sssd_runtime_t) - manage_files_pattern($1, sssd_runtime_t, sssd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_manage_pids'($*)) dnl - ') - - -######################################## -## -## Search sssd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_search_lib'($*)) dnl - - gen_require(` - type sssd_var_lib_t; - ') - - allow $1 sssd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_search_lib'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search -## sssd lib directories. -## -## -## -## Domain to not audit. -## -## -# - define(`sssd_dontaudit_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_search_lib'($*)) dnl - - gen_require(` - type sssd_var_lib_t; - ') - - dontaudit $1 sssd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_dontaudit_search_lib'($*)) dnl - ') - - -######################################## -## -## Read sssd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_read_lib_files'($*)) dnl - - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## sssd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_manage_lib_files'($*)) dnl - - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## sssd over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_dbus_chat'($*)) dnl - - gen_require(` - type sssd_t; - class dbus send_msg; - ') - - allow $1 sssd_t:dbus send_msg; - allow sssd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Connect to sssd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`sssd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_stream_connect'($*)) dnl - - gen_require(` - type sssd_t, sssd_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an sssd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sssd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sssd_admin'($*)) dnl - - gen_require(` - type sssd_t, sssd_public_t, sssd_initrc_exec_t; - type sssd_var_lib_t, sssd_runtime_t, sssd_conf_t; - type sssd_var_log_t; - ') - - allow $1 sssd_t:process { ptrace signal_perms }; - ps_process_pattern($1, sssd_t) - - init_startstop_service($1, $2, sssd_t, sssd_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, sssd_conf_t) - - files_search_var_lib($1) - admin_pattern($1, { sssd_var_lib_t sssd_public_t }) - - files_search_pids($1) - admin_pattern($1, sssd_runtime_t) - - logging_search_logs($1) - admin_pattern($1, sssd_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sssd_admin'($*)) dnl - ') - -## Tunnels instant messaging traffic to a virtual IRC channel. - -######################################## -## -## Read bitlbee configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`bitlbee_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bitlbee_read_config'($*)) dnl - - gen_require(` - type bitlbee_conf_t; - ') - - files_search_etc($1) - allow $1 bitlbee_conf_t:dir list_dir_perms; - allow $1 bitlbee_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bitlbee_read_config'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an bitlbee environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bitlbee_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bitlbee_admin'($*)) dnl - - gen_require(` - type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; - type bitlbee_initrc_exec_t, bitlbee_runtime_t; - type bitlbee_log_t, bitlbee_tmp_t; - ') - - allow $1 bitlbee_t:process { ptrace signal_perms }; - ps_process_pattern($1, bitlbee_t) - - init_startstop_service($1, $2, bitlbee_t, bitlbee_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, bitlbee_conf_t) - - logging_search_logs($1) - admin_pattern($1, bitlbee_log_t) - - files_search_tmp($1) - admin_pattern($1, bitlbee_tmp_t) - - files_search_pids($1) - admin_pattern($1, bitlbee_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, bitlbee_var_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bitlbee_admin'($*)) dnl - ') - -## Manager for dynamically switching between networks. - -######################################## -## -## Read and write networkmanager udp sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_rw_udp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_rw_udp_sockets'($*)) dnl - - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:udp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_rw_udp_sockets'($*)) dnl - ') - - -######################################## -## -## Read and write networkmanager packet sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_rw_packet_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_rw_packet_sockets'($*)) dnl - - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:packet_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_rw_packet_sockets'($*)) dnl - ') - - -####################################### -## -## Relabel networkmanager tun socket. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_attach_tun_iface',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_attach_tun_iface'($*)) dnl - - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_attach_tun_iface'($*)) dnl - ') - - -######################################## -## -## Read and write networkmanager netlink -## routing sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_rw_routing_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_rw_routing_sockets'($*)) dnl - - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:netlink_route_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_rw_routing_sockets'($*)) dnl - ') - - -######################################## -## -## Execute networkmanager with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`networkmanager_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_domtrans'($*)) dnl - - gen_require(` - type NetworkManager_t, NetworkManager_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute networkmanager scripts with -## an automatic domain transition to initrc. -## -## -## -## Domain allowed to transition. -## -## -# - define(`networkmanager_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_initrc_domtrans'($*)) dnl - - gen_require(` - type NetworkManager_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## networkmanager over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_dbus_chat'($*)) dnl - - gen_require(` - type NetworkManager_t; - class dbus send_msg; - ') - - allow $1 NetworkManager_t:dbus send_msg; - allow NetworkManager_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_dbus_chat'($*)) dnl - ') - - -####################################### -## -## Read metworkmanager process state files. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_read_state'($*)) dnl - - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:dir search_dir_perms; - allow $1 NetworkManager_t:file read_file_perms; - allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_read_state'($*)) dnl - ') - - -######################################## -## -## Send generic signals to networkmanager. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_signal'($*)) dnl - - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_signal'($*)) dnl - ') - - -######################################## -## -## Read networkmanager etc files. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_read_etc_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_read_etc_files'($*)) dnl - - gen_require(` - type NetworkManager_etc_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t) - read_files_pattern($1, NetworkManager_etc_t, NetworkManager_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_read_etc_files'($*)) dnl - ') - - -######################################## -## -## Create, read, and write -## networkmanager library files. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_manage_lib_files'($*)) dnl - - gen_require(` - type NetworkManager_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - allow $1 NetworkManager_var_lib_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Read networkmanager lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_read_lib_files'($*)) dnl - - gen_require(` - type NetworkManager_var_lib_t; - ') - - files_search_var_lib($1) - list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - allow $1 NetworkManager_var_lib_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Append networkmanager log files. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_append_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_append_log_files'($*)) dnl - - gen_require(` - type NetworkManager_log_t; - ') - - logging_search_logs($1) - allow $1 NetworkManager_log_t:dir list_dir_perms; - append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_append_log_files'($*)) dnl - ') - - -######################################## -## -## Read networkmanager pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_read_pid_files'($*)) dnl - - gen_require(` - type NetworkManager_runtime_t; - ') - - files_search_pids($1) - allow $1 NetworkManager_runtime_t:dir search_dir_perms; - allow $1 NetworkManager_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_read_pid_files'($*)) dnl - ') - - -#################################### -## -## Connect to networkmanager over -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_stream_connect'($*)) dnl - - gen_require(` - type NetworkManager_t, NetworkManager_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, NetworkManager_runtime_t, NetworkManager_runtime_t, NetworkManager_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_stream_connect'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to enable/disable NetworkManager units -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_enabledisable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_enabledisable'($*)) dnl - - gen_require(` - type NetworkManager_unit_t; - class service { enable disable }; - ') - - allow $1 NetworkManager_unit_t:service { enable disable }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_enabledisable'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to start/stop NetworkManager units -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_startstop',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_startstop'($*)) dnl - - gen_require(` - type NetworkManager_unit_t; - class service { start stop }; - ') - - allow $1 NetworkManager_unit_t:service { start stop }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_startstop'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get status of NetworkManager -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_status'($*)) dnl - - gen_require(` - type NetworkManager_unit_t; - class service status; - ') - - allow $1 NetworkManager_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_status'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an networkmanager environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`networkmanager_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_admin'($*)) dnl - - gen_require(` - type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; - type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; - type NetworkManager_var_lib_t, NetworkManager_runtime_t, wpa_cli_t; - ') - - allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) - - init_startstop_service($1, $2, NetworkManager_t, NetworkManager_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) - - logging_search_logs($1) - admin_pattern($1, NetworkManager_log_t) - - files_search_var_lib($1) - admin_pattern($1, NetworkManager_var_lib_t) - allow $1 NetworkManager_var_lib_t:file map; - - files_search_pids($1) - admin_pattern($1, NetworkManager_runtime_t) - - files_search_tmp($1) - admin_pattern($1, NetworkManager_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_admin'($*)) dnl - ') - - -######################################## -## -## Do not audit use of wpa_cli file descriptors -## -## -## -## Domain to dontaudit access. -## -## -# - define(`networkmanager_dontaudit_use_wpa_cli_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_dontaudit_use_wpa_cli_fds'($*)) dnl - - gen_require(` - type wpa_cli_t; - ') - - dontaudit $1 wpa_cli_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_dontaudit_use_wpa_cli_fds'($*)) dnl - ') - - - -######################################## -## -## Execute wpa_cli in the wpa_cli domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`networkmanager_domtrans_wpa_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_domtrans_wpa_cli'($*)) dnl - - gen_require(` - type wpa_cli_t, wpa_cli_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wpa_cli_exec_t, wpa_cli_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_domtrans_wpa_cli'($*)) dnl - ') - - -######################################## -## -## Execute wpa cli in the wpa_cli domain, and -## allow the specified role the wpa_cli domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`networkmanager_run_wpa_cli',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_run_wpa_cli'($*)) dnl - - gen_require(` - type wpa_cli_exec_t; - ') - - networkmanager_domtrans_wpa_cli($1) - role $2 types wpa_cli_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_run_wpa_cli'($*)) dnl - ') - - -# Gentoo specific interfaces follow but not allowed ifdef - -######################################## -## -## Read and write networkmanager rawip sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`networkmanager_rw_rawip_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `networkmanager_rw_rawip_sockets'($*)) dnl - - gen_require(` - type NetworkManager_t; - ') - - allow $1 NetworkManager_t:rawip_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `networkmanager_rw_rawip_sockets'($*)) dnl - ') - -## Open AntiVirus scannerdaemon and signature update. - -######################################## -## -## Execute oav_update in the oav_update domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`oav_domtrans_update',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oav_domtrans_update'($*)) dnl - - gen_require(` - type oav_update_t, oav_update_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, oav_update_exec_t, oav_update_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oav_domtrans_update'($*)) dnl - ') - - -######################################## -## -## Execute oav_update in the oav update -## domain, and allow the specified role -## the oav_update domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`oav_run_update',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oav_run_update'($*)) dnl - - gen_require(` - attribute_role oav_update_roles; - ') - - oav_domtrans_update($1) - roleattribute $2 oav_update_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oav_run_update'($*)) dnl - ') - -## iMaze game server. -## MojoMojo Wiki. -## A X11-based print system and API. -## gpsd monitor daemon. - -######################################## -## -## Execute a domain transition to run gpsd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`gpsd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpsd_domtrans'($*)) dnl - - gen_require(` - type gpsd_t, gpsd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gpsd_exec_t, gpsd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpsd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute gpsd in the gpsd domain, and -## allow the specified role the gpsd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`gpsd_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpsd_run'($*)) dnl - - gen_require(` - attribute_role gpsd_roles; - ') - - gpsd_domtrans($1) - roleattribute $2 gpsd_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpsd_run'($*)) dnl - ') - - -######################################## -## -## Read and write gpsd shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`gpsd_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpsd_rw_shm'($*)) dnl - - gen_require(` - type gpsd_t, gpsd_tmpfs_t; - ') - - allow $1 gpsd_t:shm rw_shm_perms; - allow $1 gpsd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpsd_rw_shm'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an gpsd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`gpsd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `gpsd_admin'($*)) dnl - - gen_require(` - type gpsd_t, gpsd_initrc_exec_t, gpsd_runtime_t; - ') - - allow $1 gpsd_t:process { ptrace signal_perms }; - ps_process_pattern($1, gpsd_t) - - init_startstop_service($1, $2, gpsd_t, gpsd_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, gpsd_runtime_t) - - gpsd_run($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `gpsd_admin'($*)) dnl - ') - -## Bring up/down ethernet interfaces based on cable detection. - -######################################## -## -## Execute a domain transition to run ifplugd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ifplugd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ifplugd_domtrans'($*)) dnl - - gen_require(` - type ifplugd_t, ifplugd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ifplugd_exec_t, ifplugd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ifplugd_domtrans'($*)) dnl - ') - - -######################################## -## -## Send generic signals to ifplugd. -## -## -## -## Domain allowed access. -## -## -# - define(`ifplugd_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ifplugd_signal'($*)) dnl - - gen_require(` - type ifplugd_t; - ') - - allow $1 ifplugd_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ifplugd_signal'($*)) dnl - ') - - -######################################## -## -## Read ifplugd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`ifplugd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ifplugd_read_config'($*)) dnl - - gen_require(` - type ifplugd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ifplugd_read_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## ifplugd configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`ifplugd_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ifplugd_manage_config'($*)) dnl - - gen_require(` - type ifplugd_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) - manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ifplugd_manage_config'($*)) dnl - ') - - -######################################## -## -## Read ifplugd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`ifplugd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ifplugd_read_pid_files'($*)) dnl - - gen_require(` - type ifplugd_runtime_t; - ') - - files_search_pids($1) - allow $1 ifplugd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ifplugd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ifplugd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ifplugd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ifplugd_admin'($*)) dnl - - gen_require(` - type ifplugd_t, ifplugd_etc_t, ifplugd_runtime_t; - type ifplugd_initrc_exec_t; - ') - - allow $1 ifplugd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ifplugd_t) - - init_startstop_service($1, $2, ifplugd_t, ifplugd_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, ifplugd_etc_t) - - files_list_pids($1) - admin_pattern($1, ifplugd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ifplugd_admin'($*)) dnl - ') - -## Daemon to record and keep track of system up times. - -######################################## -## -## All of the rules required to -## administrate an uptime environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`uptime_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `uptime_admin'($*)) dnl - - gen_require(` - type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t; - type uptimed_spool_t, uptimed_runtime_t; - ') - - allow $1 uptimed_t:process { ptrace signal_perms }; - ps_process_pattern($1, uptimed_t) - - init_startstop_service($1, $2, uptimed_t, uptimed_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, uptimed_etc_t) - - files_search_spool($1) - admin_pattern($1, uptimed_spool_t) - - files_search_pids($1) - admin_pattern($1, uptimed_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `uptime_admin'($*)) dnl - ') - -## Remote shell service. - -######################################## -## -## Execute rshd in the rshd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rshd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rshd_domtrans'($*)) dnl - - gen_require(` - type rshd_exec_t, rshd_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rshd_exec_t, rshd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rshd_domtrans'($*)) dnl - ') - -## DNS Privacy stub resolver. -## Update dynamic IP address at DynDNS.org. - -####################################### -## -## Execute ddclient in the ddclient domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ddclient_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ddclient_domtrans'($*)) dnl - - gen_require(` - type ddclient_t, ddclient_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ddclient_exec_t, ddclient_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ddclient_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute ddclient in the ddclient -## domain, and allow the specified -## role the ddclient domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ddclient_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ddclient_run'($*)) dnl - - gen_require(` - attribute_role ddclient_roles; - ') - - ddclient_domtrans($1) - roleattribute $2 ddclient_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ddclient_run'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ddclient environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ddclient_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ddclient_admin'($*)) dnl - - gen_require(` - type ddclient_t, ddclient_etc_t, ddclient_log_t; - type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t; - type ddclient_runtime_t, ddclient_initrc_exec_t; - ') - - allow $1 ddclient_t:process { ptrace signal_perms }; - ps_process_pattern($1, ddclient_t) - - init_startstop_service($1, $2, ddclient_t, ddclient_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, ddclient_etc_t) - - logging_list_logs($1) - admin_pattern($1, ddclient_log_t) - - files_list_var($1) - admin_pattern($1, ddclient_var_t) - - files_list_var_lib($1) - admin_pattern($1, ddclient_var_lib_t) - - files_list_pids($1) - admin_pattern($1, ddclient_runtime_t) - - files_list_tmp($1) - admin_pattern($1, ddclient_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ddclient_admin'($*)) dnl - ') - -## HyperV key value pair (KVP). - -######################################## -## -## All of the rules required to -## administrate an hypervkvp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`hypervkvp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hypervkvp_admin'($*)) dnl - - gen_require(` - type hypervkvpd_t, hypervkvpd_initrc_exec_t; - ') - - allow $1 hypervkvpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, hypervkvpd_t) - - init_startstop_service($1, $2, hypervkvpd_t, hypervkvpd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hypervkvp_admin'($*)) dnl - ') - -## Xorg.conf keyboard layout callout. - -###################################### -## -## Read keyboardd unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`keyboardd_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `keyboardd_read_pipes'($*)) dnl - - gen_require(` - type keyboardd_t; - ') - - allow $1 keyboardd_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `keyboardd_read_pipes'($*)) dnl - ') - -## PBX software. - -######################################## -## -## Execute callweaver in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`callweaver_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `callweaver_exec'($*)) dnl - - gen_require(` - type callweaver_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, callweaver_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `callweaver_exec'($*)) dnl - ') - - -######################################## -## -## Connect to callweaver over a -## unix stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`callweaver_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `callweaver_stream_connect'($*)) dnl - - gen_require(` - type callweaver_t, callweaver_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, callweaver_runtime_t, callweaver_runtime_t, callweaver_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `callweaver_stream_connect'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an callweaver environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`callweaver_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `callweaver_admin'($*)) dnl - - gen_require(` - type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t; - type callweaver_var_lib_t, callweaver_runtime_t, callweaver_spool_t; - ') - - allow $1 callweaver_t:process { ptrace signal_perms }; - ps_process_pattern($1, callweaver_t) - - init_startstop_service($1, $2, callweaver_t, callweaver_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, callweaver_log_t) - - files_search_pids($1) - admin_pattern($1, callweaver_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `callweaver_admin'($*)) dnl - ') - -## TCP daemon. - -######################################## -## -## Execute tcpd in the tcpd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tcpd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcpd_domtrans'($*)) dnl - - gen_require(` - type tcpd_t, tcpd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, tcpd_exec_t, tcpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcpd_domtrans'($*)) dnl - ') - - -######################################## -## -## Create a domain for services that -## utilize tcp wrappers. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# - define(`tcpd_wrapped_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tcpd_wrapped_domain'($*)) dnl - - gen_require(` - type tcpd_t; - role system_r; - ') - - domtrans_pattern(tcpd_t, $2, $1) - role system_r types $1; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tcpd_wrapped_domain'($*)) dnl - ') - -## Apache QPID AMQP messaging server. - -######################################## -## -## Execute a domain transition to run qpidd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`qpidd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_domtrans'($*)) dnl - - gen_require(` - type qpidd_t, qpidd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qpidd_exec_t, qpidd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_domtrans'($*)) dnl - ') - - -##################################### -## -## Read and write access qpidd semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`qpidd_rw_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_rw_semaphores'($*)) dnl - - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:sem rw_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_rw_semaphores'($*)) dnl - ') - - -######################################## -## -## Read and write qpidd shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`qpidd_rw_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_rw_shm'($*)) dnl - - gen_require(` - type qpidd_t; - ') - - allow $1 qpidd_t:shm rw_shm_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_rw_shm'($*)) dnl - ') - - -######################################## -## -## Execute qpidd init script in -## the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`qpidd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_initrc_domtrans'($*)) dnl - - gen_require(` - type qpidd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, qpidd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read qpidd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`qpidd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_read_pid_files'($*)) dnl - - gen_require(` - type qpidd_runtime_t; - ') - - files_search_pids($1) - allow $1 qpidd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Search qpidd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`qpidd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_search_lib'($*)) dnl - - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 qpidd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_search_lib'($*)) dnl - ') - - -######################################## -## -## Read qpidd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`qpidd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_read_lib_files'($*)) dnl - - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## qpidd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`qpidd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_manage_lib_files'($*)) dnl - - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an qpidd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`qpidd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qpidd_admin'($*)) dnl - - gen_require(` - type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; - type qpidd_runtime_t; - ') - - allow $1 qpidd_t:process { ptrace signal_perms }; - ps_process_pattern($1, qpidd_t) - - init_startstop_service($1, $2, qpidd_t, qpidd_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, qpidd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, qpidd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qpidd_admin'($*)) dnl - ') - -## Privacy enhancing web proxy. - -######################################## -## -## All of the rules required to -## administrate an privoxy environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`privoxy_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `privoxy_admin'($*)) dnl - - gen_require(` - type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; - type privoxy_etc_rw_t, privoxy_runtime_t; - ') - - allow $1 privoxy_t:process { ptrace signal_perms }; - ps_process_pattern($1, privoxy_t) - - init_startstop_service($1, $2, privoxy_t, privoxy_initrc_exec_t) - - logging_list_logs($1) - admin_pattern($1, privoxy_log_t) - - files_list_etc($1) - admin_pattern($1, privoxy_etc_rw_t) - - files_list_pids($1) - admin_pattern($1, privoxy_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `privoxy_admin'($*)) dnl - ') - -## Reserve well-known ports in the RPC port range. - -######################################## -## -## Execute a domain transition to run portreserve. -## -## -## -## Domain allowed to transition. -## -## -# - define(`portreserve_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portreserve_domtrans'($*)) dnl - - gen_require(` - type portreserve_t, portreserve_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, portreserve_exec_t, portreserve_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portreserve_domtrans'($*)) dnl - ') - - -####################################### -## -## Read portreserve configuration content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`portreserve_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portreserve_read_config'($*)) dnl - - gen_require(` - type portreserve_etc_t; - ') - - files_search_etc($1) - allow $1 portreserve_etc_t:dir list_dir_perms; - allow $1 portreserve_etc_t:file read_file_perms; - allow $1 portreserve_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portreserve_read_config'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## portreserve configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`portreserve_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portreserve_manage_config'($*)) dnl - - gen_require(` - type portreserve_etc_t; - ') - - files_search_etc($1) - allow $1 portreserve_etc_t:dir manage_dir_perms; - allow $1 portreserve_etc_t:file manage_file_perms; - allow $1 portreserve_etc_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portreserve_manage_config'($*)) dnl - ') - - -######################################## -## -## Execute portreserve init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`portreserve_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portreserve_initrc_domtrans'($*)) dnl - - gen_require(` - type portreserve_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, portreserve_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portreserve_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an portreserve environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`portreserve_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `portreserve_admin'($*)) dnl - - gen_require(` - type portreserve_t, portreserve_etc_t, portreserve_runtime_t; - type portreserve_initrc_exec_t; - ') - - allow $1 portreserve_t:process { ptrace signal_perms }; - ps_process_pattern($1, portreserve_t) - - init_startstop_service($1, $2, portreserve_t, portreserve_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, portreserve_etc_t) - - files_list_pids($1) - admin_pattern($1, portreserve_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `portreserve_admin'($*)) dnl - ') - -## Python implementation of the OpenStack identity service API. - -######################################## -## -## All of the rules required to -## administrate an keystone environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`keystone_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `keystone_admin'($*)) dnl - - gen_require(` - type keystone_t, keystone_initrc_exec_t, keystone_log_t; - type keystone_var_lib_t, keystone_tmp_t; - ') - - allow $1 keystone_t:process { ptrace signal_perms }; - ps_process_pattern($1, keystone_t) - - init_startstop_service($1, $2, keystone_t, keystone_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, keystone_log_t) - - files_search_var_lib($1) - admin_pattern($1, keystone_var_lib_t) - - files_search_tmp($1) - admin_pattern($1, keystone_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `keystone_admin'($*)) dnl - ') - -## Subscription Management Certificate Daemon. - -######################################## -## -## Execute rhsmcertd in the rhsmcertd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rhsmcertd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_domtrans'($*)) dnl - - gen_require(` - type rhsmcertd_t, rhsmcertd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute rhsmcertd init scripts -## in the initrc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rhsmcertd_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_initrc_domtrans'($*)) dnl - - gen_require(` - type rhsmcertd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Read rhsmcertd log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`rhsmcertd_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_log'($*)) dnl - - gen_require(` - type rhsmcertd_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_read_log'($*)) dnl - ') - - -######################################## -## -## Append rhsmcertd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_append_log'($*)) dnl - - gen_require(` - type rhsmcertd_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rhsmcertd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_log'($*)) dnl - - gen_require(` - type rhsmcertd_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) - manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) - manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_log'($*)) dnl - ') - - -######################################## -## -## Search rhsmcertd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_search_lib'($*)) dnl - - gen_require(` - type rhsmcertd_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_search_lib'($*)) dnl - ') - - -######################################## -## -## Read rhsmcertd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_lib_files'($*)) dnl - - gen_require(` - type rhsmcertd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rhsmcertd lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_lib_files'($*)) dnl - - gen_require(` - type rhsmcertd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rhsmcertd lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_lib_dirs'($*)) dnl - - gen_require(` - type rhsmcertd_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Read rhsmcertd pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_pid_files'($*)) dnl - - gen_require(` - type rhsmcertd_runtime_t; - ') - - files_search_pids($1) - allow $1 rhsmcertd_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_read_pid_files'($*)) dnl - ') - - -#################################### -## -## Connect to rhsmcertd with a -## unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_stream_connect'($*)) dnl - - gen_require(` - type rhsmcertd_t, rhsmcertd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, rhsmcertd_runtime_t, rhsmcertd_runtime_t, rhsmcertd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_stream_connect'($*)) dnl - ') - - -####################################### -## -## Send and receive messages from -## rhsmcertd over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`rhsmcertd_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_dbus_chat'($*)) dnl - - gen_require(` - type rhsmcertd_t; - class dbus send_msg; - ') - - allow $1 rhsmcertd_t:dbus send_msg; - allow rhsmcertd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_dbus_chat'($*)) dnl - ') - - -###################################### -## -## Do not audit attempts to send -## and receive messages from -## rhsmcertd over dbus. -## -## -## -## Domain to not audit. -## -## -# - define(`rhsmcertd_dontaudit_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_dontaudit_dbus_chat'($*)) dnl - - gen_require(` - type rhsmcertd_t; - class dbus send_msg; - ') - - dontaudit $1 rhsmcertd_t:dbus send_msg; - dontaudit rhsmcertd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_dontaudit_dbus_chat'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rhsmcertd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rhsmcertd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhsmcertd_admin'($*)) dnl - - gen_require(` - type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; - type rhsmcertd_var_lib_t, rhsmcertd_runtime_t, rhsmcertd_lock_t; - ') - - allow $1 rhsmcertd_t:process { ptrace signal_perms }; - ps_process_pattern($1, rhsmcertd_t) - - init_startstop_service($1, $2, rhsmcertd_t, rhsmcertd_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, rhsmcertd_log_t) - - files_search_var_lib($1) - admin_pattern($1, rhsmcertd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, rhsmcertd_runtime_t) - - files_search_locks($1) - admin_pattern($1, rhsmcertd_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhsmcertd_admin'($*)) dnl - ') - -## Perdition POP and IMAP proxy. - -######################################## -## -## All of the rules required to -## administrate an perdition environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`perdition_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `perdition_admin'($*)) dnl - - gen_require(` - type perdition_t, perdition_initrc_exec_t, perdition_etc_t; - type perdition_runtime_t; - ') - - allow $1 perdition_t:process { ptrace signal_perms }; - ps_process_pattern($1, perdition_t) - - init_startstop_service($1, $2, perdition_t, perdition_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, perdition_etc_t) - - files_search_pids($1) - admin_pattern($1, perdition_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `perdition_admin'($*)) dnl - ') - -## SSL Tunneling Proxy. - -######################################## -## -## Define the specified domain as a stunnel inetd service. -## -## -## -## The type associated with the stunnel inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# - define(`stunnel_service_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `stunnel_service_domain'($*)) dnl - - gen_require(` - type stunnel_t; - ') - - domtrans_pattern(stunnel_t, $2, $1) - allow $1 stunnel_t:tcp_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `stunnel_service_domain'($*)) dnl - ') - - -######################################## -## -## Read stunnel configuration content. -## -## -## -## Domain allowed access. -## -## -# - define(`stunnel_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `stunnel_read_config'($*)) dnl - - gen_require(` - type stunnel_etc_t; - ') - - files_search_etc($1) - allow $1 stunnel_etc_t:dir list_dir_perms; - allow $1 stunnel_etc_t:file read_file_perms; - allow $1 stunnel_etc_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `stunnel_read_config'($*)) dnl - ') - -## z/OS Remote-services Audit dispatcher plugin. - -######################################## -## -## Execute a domain transition to run audispd-zos-remote. -## -## -## -## Domain allowed to transition. -## -## -# - define(`zosremote_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zosremote_domtrans'($*)) dnl - - gen_require(` - type zos_remote_t, zos_remote_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zosremote_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute zos remote in the zos remote -## domain, and allow the specified role -## the zos remote domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`zosremote_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `zosremote_run'($*)) dnl - - gen_require(` - attribute_role zos_remote_roles; - ') - - zosremote_domtrans($1) - roleattribute $2 zos_remote_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `zosremote_run'($*)) dnl - ') - -## Mirrors a block device over the network to another machine. - -######################################## -## -## Execute a domain transition to -## run drbd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`drbd_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `drbd_domtrans'($*)) dnl - - gen_require(` - type drbd_t, drbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, drbd_exec_t, drbd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `drbd_domtrans'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an drbd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`drbd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `drbd_admin'($*)) dnl - - gen_require(` - type drbd_t, drbd_initrc_exec_t, drbd_lock_t; - type drbd_var_lib_t; - ') - - allow $1 drbd_t:process { ptrace signal_perms }; - ps_process_pattern($1, drbd_t) - - init_startstop_service($1, $2, drbd_t, drbd_initrc_exec_t) - - files_search_locks($1) - admin_pattern($1, drbd_lock_t) - - files_search_var_lib($1) - admin_pattern($1, drbd_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `drbd_admin'($*)) dnl - ') - -## Software for reliable, scalable, distributed computing. - -####################################### -## -## The template to define a hadoop domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`hadoop_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_domain_template'($*)) dnl - - gen_require(` - attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file; - attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file; - attribute hadoop_tmp_file, hadoop_var_lib_file; - type hadoop_log_t, hadoop_var_lib_t, hadoop_runtime_t; - type hadoop_exec_t, hadoop_hsperfdata_t; - ') - - ######################################## - # - # Declarations - # - - type hadoop_$1_t, hadoop_domain; - domain_type(hadoop_$1_t) - domain_entry_file(hadoop_$1_t, hadoop_exec_t) - role system_r types hadoop_$1_t; - - type hadoop_$1_initrc_t, hadoop_initrc_domain; - type hadoop_$1_initrc_exec_t, hadoop_init_script_file; - init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) - role system_r types hadoop_$1_initrc_t; - - type hadoop_$1_initrc_runtime_t, hadoop_pid_file; - files_pid_file(hadoop_$1_initrc_runtime_t) - - type hadoop_$1_lock_t, hadoop_lock_file; - files_lock_file(hadoop_$1_lock_t) - - type hadoop_$1_log_t, hadoop_log_file; - logging_log_file(hadoop_$1_log_t) - - type hadoop_$1_tmp_t, hadoop_tmp_file; - files_tmp_file(hadoop_$1_tmp_t) - - type hadoop_$1_var_lib_t, hadoop_var_lib_file; - files_type(hadoop_$1_var_lib_t) - - #################################### - # - # hadoop_domain policy - # - - manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t) - filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) - - manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) - manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) - filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) - - manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_runtime_t, hadoop_$1_initrc_runtime_t) - filetrans_pattern(hadoop_$1_t, hadoop_runtime_t, hadoop_$1_initrc_runtime_t, file) - - manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) - filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) - - auth_use_nsswitch(hadoop_$1_t) - - #################################### - # - # hadoop_initrc_domain policy - # - - allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull }; - - domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) - files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_runtime_t, hadoop_$1_initrc_runtime_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_runtime_t, hadoop_$1_initrc_runtime_t, file) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_domain_template'($*)) dnl - ') - - -######################################## -## -## Role access for hadoop. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -## -# - define(`hadoop_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_role'($*)) dnl - - gen_require(` - attribute_role hadoop_roles, zookeeper_roles; - type hadoop_t, zookeeper_t, hadoop_home_t; - type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t; - ') - - hadoop_domtrans($2) - roleattribute $1 hadoop_roles; - - hadoop_domtrans_zookeeper_client($2) - roleattribute $1 zookeeper_roles; - - allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { hadoop_t zookeeper_t }) - - allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_role'($*)) dnl - ') - - -######################################## -## -## Execute hadoop in the -## hadoop domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hadoop_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_domtrans'($*)) dnl - - gen_require(` - type hadoop_t, hadoop_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hadoop_exec_t, hadoop_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_domtrans'($*)) dnl - ') - - -######################################## -## -## Receive from hadoop peer. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_recvfrom',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom'($*)) dnl - - gen_require(` - type hadoop_t; - ') - - allow $1 hadoop_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_recvfrom'($*)) dnl - ') - - -######################################## -## -## Execute zookeeper client in the -## zookeeper client domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hadoop_domtrans_zookeeper_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_domtrans_zookeeper_client'($*)) dnl - - gen_require(` - type zookeeper_t, zookeeper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zookeeper_exec_t, zookeeper_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_domtrans_zookeeper_client'($*)) dnl - ') - - -######################################## -## -## Receive from zookeeper peer. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_recvfrom_zookeeper_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_zookeeper_client'($*)) dnl - - gen_require(` - type zookeeper_t; - ') - - allow $1 zookeeper_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_zookeeper_client'($*)) dnl - ') - - -######################################## -## -## Execute zookeeper server in the -## zookeeper server domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hadoop_domtrans_zookeeper_server',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_domtrans_zookeeper_server'($*)) dnl - - gen_require(` - type zookeeper_server_t, zookeeper_server_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_domtrans_zookeeper_server'($*)) dnl - ') - - -######################################## -## -## Receive from zookeeper server peer. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_recvfrom_zookeeper_server',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_zookeeper_server'($*)) dnl - - gen_require(` - type zookeeper_server_t; - ') - - allow $1 zookeeper_server_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_zookeeper_server'($*)) dnl - ') - - -######################################## -## -## Execute zookeeper server in the -## zookeeper domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hadoop_initrc_domtrans_zookeeper_server',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_initrc_domtrans_zookeeper_server'($*)) dnl - - gen_require(` - type zookeeper_server_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_initrc_domtrans_zookeeper_server'($*)) dnl - ') - - -######################################## -## -## Receive from datanode peer. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_recvfrom_datanode',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_datanode'($*)) dnl - - gen_require(` - type hadoop_datanode_t; - ') - - allow $1 hadoop_datanode_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_datanode'($*)) dnl - ') - - -######################################## -## -## Read hadoop configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_read_config'($*)) dnl - - gen_require(` - type hadoop_etc_t; - ') - - read_files_pattern($1, hadoop_etc_t, hadoop_etc_t) - read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_read_config'($*)) dnl - ') - - -######################################## -## -## Execute hadoop configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_exec_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_exec_config'($*)) dnl - - gen_require(` - type hadoop_etc_t; - ') - - hadoop_read_config($1) - allow $1 hadoop_etc_t:file exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_exec_config'($*)) dnl - ') - - -######################################## -## -## Receive from jobtracker peer. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_recvfrom_jobtracker',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_jobtracker'($*)) dnl - - gen_require(` - type hadoop_jobtracker_t; - ') - - allow $1 hadoop_jobtracker_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_jobtracker'($*)) dnl - ') - - -######################################## -## -## Match hadoop lan association. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_match_lan_spd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_match_lan_spd'($*)) dnl - - gen_require(` - type hadoop_lan_t; - ') - - allow $1 hadoop_lan_t:association polmatch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_match_lan_spd'($*)) dnl - ') - - -######################################## -## -## Receive from namenode peer. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_recvfrom_namenode',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_namenode'($*)) dnl - - gen_require(` - type hadoop_namenode_t; - ') - - allow $1 hadoop_namenode_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_namenode'($*)) dnl - ') - - -######################################## -## -## Receive from secondary namenode peer. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_recvfrom_secondarynamenode',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_secondarynamenode'($*)) dnl - - gen_require(` - type hadoop_secondarynamenode_t; - ') - - allow $1 hadoop_secondarynamenode_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_secondarynamenode'($*)) dnl - ') - - -######################################## -## -## Receive from tasktracker peer. -## -## -## -## Domain allowed access. -## -## -# - define(`hadoop_recvfrom_tasktracker',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_tasktracker'($*)) dnl - - gen_require(` - type hadoop_tasktracker_t; - ') - - allow $1 hadoop_tasktracker_t:peer recv; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_tasktracker'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an hadoop environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`hadoop_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hadoop_admin'($*)) dnl - - gen_require(` - attribute hadoop_domain; - attribute hadoop_initrc_domain; - - attribute hadoop_pid_file; - attribute hadoop_lock_file; - attribute hadoop_log_file; - attribute hadoop_tmp_file; - attribute hadoop_var_lib_file; - - type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t; - type zookeeper_t, zookeeper_etc_t, zookeeper_server_t; - type zookeeper_server_var_t; - - type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t; - type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t; - type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t; - type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t; - type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t; - ') - - allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) - - init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) - init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t) - init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t) - init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t) - init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) - - logging_search_logs($1) - admin_pattern($1, hadoop_log_file) - - files_search_locks($1) - admin_pattern($1, hadoop_lock_file) - - files_search_pids($1) - admin_pattern($1, hadoop_pid_file) - - files_search_tmp($1) - admin_pattern($1, { hadoop_tmp_file hadoop_hsperfdata_t }) - - files_search_var_lib($1) - admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hadoop_admin'($*)) dnl - ') - -## high-performance authoritative-only DNS server. - -######################################## -## -## Execute knotc in the knotc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`knot_domtrans_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `knot_domtrans_client'($*)) dnl - - gen_require(` - type knotc_t, knotc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, knotc_exec_t, knotc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `knot_domtrans_client'($*)) dnl - ') - - -######################################## -## -## Execute knotc in the knotc domain, and -## allow the specified role the knotc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`knot_run_client',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `knot_run_client'($*)) dnl - - gen_require(` - attribute_role knot_roles; - ') - - knot_domtrans_client($1) - roleattribute $2 knot_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `knot_run_client'($*)) dnl - ') - - -######################################## -## -## Read knot config files. -## -## -## -## Domain allowed access. -## -## -# - define(`knot_read_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `knot_read_config_files'($*)) dnl - - gen_require(` - type knot_conf_t; - ') - - read_files_pattern($1, knot_conf_t, knot_conf_t) - files_search_etc($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `knot_read_config_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an knot environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`knot_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `knot_admin'($*)) dnl - - gen_require(` - type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t; - type knot_runtime_t, knot_tmp_t, knot_var_lib_t; - ') - - allow $1 knotc_t:process signal_perms; - allow $1 knotd_t:process { ptrace signal_perms }; - ps_process_pattern($1, knotc_t) - ps_process_pattern($1, knotd_t) - - init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, knot_conf_t) - - files_search_pids($1) - admin_pattern($1, knot_runtime_t) - - files_search_tmp($1) - admin_pattern($1, knot_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, knot_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `knot_admin'($*)) dnl - ') - -## D-BUS service which runs odd jobs on behalf of client applications. - -######################################## -## -## Execute a domain transition to run oddjob. -## -## -## -## Domain allowed to transition. -## -## -# - define(`oddjob_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oddjob_domtrans'($*)) dnl - - gen_require(` - type oddjob_t, oddjob_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, oddjob_exec_t, oddjob_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oddjob_domtrans'($*)) dnl - ') - - -######################################## -## -## Make the specified program domain -## accessable from the oddjob. -## -## -## -## The type of the process to transition to. -## -## -## -## -## The type of the file used as an entrypoint to this domain. -## -## -# - define(`oddjob_system_entry',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oddjob_system_entry'($*)) dnl - - gen_require(` - type oddjob_t; - ') - - domtrans_pattern(oddjob_t, $2, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oddjob_system_entry'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## oddjob over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`oddjob_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oddjob_dbus_chat'($*)) dnl - - gen_require(` - type oddjob_t; - class dbus send_msg; - ') - - allow $1 oddjob_t:dbus send_msg; - allow oddjob_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oddjob_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to -## run oddjob mkhomedir. -## -## -## -## Domain allowed to transition. -## -## -# - define(`oddjob_domtrans_mkhomedir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oddjob_domtrans_mkhomedir'($*)) dnl - - gen_require(` - type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oddjob_domtrans_mkhomedir'($*)) dnl - ') - - -######################################## -## -## Execute oddjob mkhomedir in the -## oddjob mkhomedir domain and allow -## the specified role the oddjob -## mkhomedir domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`oddjob_run_mkhomedir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oddjob_run_mkhomedir'($*)) dnl - - gen_require(` - attribute_role oddjob_mkhomedir_roles; - ') - - oddjob_domtrans_mkhomedir($1) - roleattribute $2 oddjob_mkhomedir_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oddjob_run_mkhomedir'($*)) dnl - ') - - -##################################### -## -## Do not audit attempts to read and write -## oddjob fifo files. -## -## -## -## Domain to not audit. -## -## -# - define(`oddjob_dontaudit_rw_fifo_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oddjob_dontaudit_rw_fifo_files'($*)) dnl - - gen_require(` - type oddjob_t; - ') - - dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oddjob_dontaudit_rw_fifo_files'($*)) dnl - ') - - -###################################### -## -## Send child terminated signals to oddjob. -## -## -## -## Domain allowed access. -## -## -# - define(`oddjob_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `oddjob_sigchld'($*)) dnl - - gen_require(` - type oddjob_t; - ') - - allow $1 oddjob_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `oddjob_sigchld'($*)) dnl - ') - -## Distributed compiler daemon. - -######################################## -## -## All of the rules required to -## administrate an distcc environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`distcc_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `distcc_admin'($*)) dnl - - gen_require(` - type distccd_t, distccd_t, distccd_log_t; - type distccd_runtime_t, distccd_tmp_t, distccd_initrc_exec_t; - ') - - allow $1 distccd_t:process { ptrace signal_perms }; - ps_process_pattern($1, distccd_t) - - init_startstop_service($1, $2, distccd_t, distccd_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, distccd_log_t) - - files_search_tmp($1) - admin_pattern($1, distccd_tmp_t) - - files_search_pids($1) - admin_pattern($1, distccd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `distcc_admin'($*)) dnl - ') - -## Fast incremental file transfer for synchronization. - -######################################## -## -## Make rsync executable file an -## entry point for the specified domain. -## -## -## -## The domain for which rsync_exec_t is an entrypoint. -## -## -# - define(`rsync_entry_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_entry_type'($*)) dnl - - gen_require(` - type rsync_exec_t; - ') - - domain_entry_file($1, rsync_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_entry_type'($*)) dnl - ') - - -######################################## -## -## Execute a rsync in a specified domain. -## -## -##

-## Execute a rsync in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# - define(`rsync_entry_spec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_entry_spec_domtrans'($*)) dnl - - gen_require(` - type rsync_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_transition_pattern($1, rsync_exec_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_entry_spec_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute a rsync in a specified domain. -## -## -##

-## Execute a rsync in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# - define(`rsync_entry_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_entry_domtrans'($*)) dnl - - gen_require(` - type rsync_exec_t; - ') - - corecmd_search_bin($1) - domain_auto_transition_pattern($1, rsync_exec_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_entry_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute the rsync program in the rsync domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rsync_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_domtrans'($*)) dnl - - gen_require(` - type rsync_t, rsync_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rsync_exec_t, rsync_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute rsync in the rsync domain, and -## allow the specified role the rsync domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`rsync_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_run'($*)) dnl - - gen_require(` - attribute_role rsync_roles; - ') - - rsync_domtrans($1) - roleattribute $2 rsync_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_run'($*)) dnl - ') - - -######################################## -## -## Execute rsync in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`rsync_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_exec'($*)) dnl - - gen_require(` - type rsync_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rsync_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_exec'($*)) dnl - ') - - -######################################## -## -## Read rsync config files. -## -## -## -## Domain allowed access. -## -## -# - define(`rsync_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_read_config'($*)) dnl - - gen_require(` - type rsync_etc_t; - ') - - files_search_etc($1) - allow $1 rsync_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_read_config'($*)) dnl - ') - - -######################################## -## -## Write rsync config files. -## -## -## -## Domain allowed access. -## -## -# - define(`rsync_write_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_write_config'($*)) dnl - - gen_require(` - type rsync_etc_t; - ') - - files_search_etc($1) - allow $1 rsync_etc_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_write_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## rsync config files. -## -## -## -## Domain allowed access. -## -## -# - define(`rsync_manage_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_manage_config_files'($*)) dnl - - gen_require(` - type rsync_etc_t; - ') - - files_search_etc($1) - manage_files_pattern($1, rsync_etc_t, rsync_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_manage_config_files'($*)) dnl - ') - - -######################################## -## -## Create specified objects in etc directories -## with rsync etc type. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`rsync_etc_filetrans_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_etc_filetrans_config'($*)) dnl - - gen_require(` - type rsync_etc_t; - ') - - files_etc_filetrans($1, rsync_etc_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_etc_filetrans_config'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rsync environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rsync_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rsync_admin'($*)) dnl - - gen_require(` - type rsync_t, rsync_etc_t, rsync_data_t; - type rsync_log_t, rsync_tmp_t, rsync_runtime_t; - ') - - allow $1 rsync_t:process { ptrace signal_perms }; - ps_process_pattern($1, rsync_t) - - files_search_etc($1) - admin_pattern($1, rsync_etc_t) - - admin_pattern($1, rsync_data_t) - - logging_search_logs($1) - admin_pattern($1, rsync_log_t) - - files_search_tmp($1) - admin_pattern($1, rsync_tmp_t) - - files_search_pids($1) - admin_pattern($1, rsync_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rsync_admin'($*)) dnl - ') - -## CacheFiles user-space management daemon. - -######################################## -## -## All of the rules required to -## administrate an cachefilesd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cachefilesd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cachefilesd_admin'($*)) dnl - - gen_require(` - type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t; - type cachefilesd_runtime_t; - ') - - allow $1 cachefilesd_t:process { ptrace signal_perms }; - ps_process_pattern($1, cachefilesd_t) - - init_startstop_service($1, $2, cachefilesd_t, cachefilesd_initrc_exec_t) - - files_search_var($1) - admin_pattern($1, cachefilesd_cache_t) - - files_search_pids($1) - admin_pattern($1, cachefilesd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cachefilesd_admin'($*)) dnl - ') - -## Red Hat Cluster Suite. - -####################################### -## -## The template to define a rhcs domain. -## -## -## -## Domain prefix to be used. -## -## -# - define(`rhcs_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_domain_template'($*)) dnl - - gen_require(` - attribute cluster_domain, cluster_pid, cluster_tmpfs; - attribute cluster_log; - ') - - ############################## - # - # Declarations - # - - type $1_t, cluster_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) - - type $1_runtime_t alias $1_var_run_t, cluster_pid; - files_pid_file($1_runtime_t) - - type $1_tmpfs_t, cluster_tmpfs; - files_tmpfs_file($1_tmpfs_t) - - type $1_var_log_t, cluster_log; - logging_log_file($1_var_log_t) - - ############################## - # - # Local policy - # - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) - - manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) - append_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - create_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) - - manage_dirs_pattern($1_t, $1_runtime_t, $1_runtime_t) - manage_files_pattern($1_t, $1_runtime_t, $1_runtime_t) - manage_fifo_files_pattern($1_t, $1_runtime_t, $1_runtime_t) - manage_sock_files_pattern($1_t, $1_runtime_t, $1_runtime_t) - files_pid_filetrans($1_t, $1_runtime_t, { dir file sock_file fifo_file }) - - optional_policy(` - dbus_system_bus_client($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_domain_template'($*)) dnl - ') - - -###################################### -## -## Execute a domain transition to -## run dlm_controld. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rhcs_domtrans_dlm_controld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_dlm_controld'($*)) dnl - - gen_require(` - type dlm_controld_t, dlm_controld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_domtrans_dlm_controld'($*)) dnl - ') - - -##################################### -## -## Get attributes of fenced -## executable files. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_getattr_fenced_exec_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_getattr_fenced_exec_files'($*)) dnl - - gen_require(` - type fenced_exec_t; - ') - - allow $1 fenced_exec_t:file getattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_getattr_fenced_exec_files'($*)) dnl - ') - - -##################################### -## -## Connect to dlm_controld with a -## unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_stream_connect_dlm_controld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_dlm_controld'($*)) dnl - - gen_require(` - type dlm_controld_t, dlm_controld_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dlm_controld_runtime_t, dlm_controld_runtime_t, dlm_controld_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_dlm_controld'($*)) dnl - ') - - -##################################### -## -## Read and write dlm_controld semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_rw_dlm_controld_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_rw_dlm_controld_semaphores'($*)) dnl - - gen_require(` - type dlm_controld_t, dlm_controld_tmpfs_t; - ') - - allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_rw_dlm_controld_semaphores'($*)) dnl - ') - - -###################################### -## -## Execute a domain transition to run fenced. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rhcs_domtrans_fenced',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_fenced'($*)) dnl - - gen_require(` - type fenced_t, fenced_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fenced_exec_t, fenced_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_domtrans_fenced'($*)) dnl - ') - - -###################################### -## -## Read and write fenced semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_rw_fenced_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_rw_fenced_semaphores'($*)) dnl - - gen_require(` - type fenced_t, fenced_tmpfs_t; - ') - - allow $1 fenced_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_rw_fenced_semaphores'($*)) dnl - ') - - -#################################### -## -## Connect to all cluster domains -## with a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_stream_connect_cluster',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_cluster'($*)) dnl - - gen_require(` - attribute cluster_domain, cluster_pid; - ') - - files_search_pids($1) - stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_cluster'($*)) dnl - ') - - -###################################### -## -## Connect to fenced with an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_stream_connect_fenced',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_fenced'($*)) dnl - - gen_require(` - type fenced_runtime_t, fenced_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, fenced_runtime_t, fenced_runtime_t, fenced_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_fenced'($*)) dnl - ') - - -##################################### -## -## Execute a domain transition -## to run gfs_controld. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rhcs_domtrans_gfs_controld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_gfs_controld'($*)) dnl - - gen_require(` - type gfs_controld_t, gfs_controld_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_domtrans_gfs_controld'($*)) dnl - ') - - -#################################### -## -## Read and write gfs_controld semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_rw_gfs_controld_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_rw_gfs_controld_semaphores'($*)) dnl - - gen_require(` - type gfs_controld_t, gfs_controld_tmpfs_t; - ') - - allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_rw_gfs_controld_semaphores'($*)) dnl - ') - - -######################################## -## -## Read and write gfs_controld_t shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_rw_gfs_controld_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_rw_gfs_controld_shm'($*)) dnl - - gen_require(` - type gfs_controld_t, gfs_controld_tmpfs_t; - ') - - allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_rw_gfs_controld_shm'($*)) dnl - ') - - -##################################### -## -## Connect to gfs_controld_t with -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_stream_connect_gfs_controld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_gfs_controld'($*)) dnl - - gen_require(` - type gfs_controld_t, gfs_controld_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, gfs_controld_runtime_t, gfs_controld_runtime_t, gfs_controld_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_gfs_controld'($*)) dnl - ') - - -###################################### -## -## Execute a domain transition to run groupd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rhcs_domtrans_groupd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_groupd'($*)) dnl - - gen_require(` - type groupd_t, groupd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, groupd_exec_t, groupd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_domtrans_groupd'($*)) dnl - ') - - -##################################### -## -## Connect to groupd with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_stream_connect_groupd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_groupd'($*)) dnl - - gen_require(` - type groupd_t, groupd_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, groupd_runtime_t, groupd_runtime_t, groupd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_groupd'($*)) dnl - ') - - -######################################## -## -## Read and write all cluster domains -## shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_rw_cluster_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_rw_cluster_shm'($*)) dnl - - gen_require(` - attribute cluster_domain, cluster_tmpfs; - ') - - allow $1 cluster_domain:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_rw_cluster_shm'($*)) dnl - ') - - -#################################### -## -## Read and write all cluster -## domains semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_rw_cluster_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_rw_cluster_semaphores'($*)) dnl - - gen_require(` - attribute cluster_domain; - ') - - allow $1 cluster_domain:sem { rw_sem_perms destroy }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_rw_cluster_semaphores'($*)) dnl - ') - - -##################################### -## -## Read and write groupd semaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_rw_groupd_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_rw_groupd_semaphores'($*)) dnl - - gen_require(` - type groupd_t, groupd_tmpfs_t; - ') - - allow $1 groupd_t:sem { rw_sem_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_rw_groupd_semaphores'($*)) dnl - ') - - -######################################## -## -## Read and write groupd shared memory. -## -## -## -## Domain allowed access. -## -## -# - define(`rhcs_rw_groupd_shm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_rw_groupd_shm'($*)) dnl - - gen_require(` - type groupd_t, groupd_tmpfs_t; - ') - - allow $1 groupd_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_rw_groupd_shm'($*)) dnl - ') - - -###################################### -## -## Execute a domain transition to run qdiskd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`rhcs_domtrans_qdiskd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_qdiskd'($*)) dnl - - gen_require(` - type qdiskd_t, qdiskd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_domtrans_qdiskd'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an rhcs environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`rhcs_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `rhcs_admin'($*)) dnl - - gen_require(` - attribute cluster_domain, cluster_pid, cluster_tmpfs; - attribute cluster_log; - type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; - type fenced_tmp_t, qdiskd_var_lib_t; - type dlm_controld_t, foghorn_t; - ') - - allow $1 cluster_domain:process { ptrace signal_perms }; - ps_process_pattern($1, cluster_domain) - - init_startstop_service($1, $2, dlm_controld_t, dlm_controld_initrc_exec_t) - init_startstop_service($1, $2, foghorn_t, foghorn_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, cluster_pid) - - files_search_locks($1) - admin_pattern($1, fenced_lock_t) - - files_search_tmp($1) - admin_pattern($1, fenced_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, qdiskd_var_lib_t) - - fs_search_tmpfs($1) - admin_pattern($1, cluster_tmpfs) - - logging_search_logs($1) - admin_pattern($1, cluster_log) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `rhcs_admin'($*)) dnl - ') - -## Internet services daemon. - -######################################## -## -## Define the specified domain as a inetd service. -## -## -##

-## Define the specified domain as a inetd service. The -## inetd_service_domain(), inetd_tcp_service_domain(), -## or inetd_udp_service_domain() interfaces should be used -## instead of this interface, as this interface only provides -## the common rules to these three interfaces. -##

-## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# - define(`inetd_core_service_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inetd_core_service_domain'($*)) dnl - - gen_require(` - type inetd_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(inetd_t, $2, $1) - allow inetd_t $1:process { siginh sigkill }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inetd_core_service_domain'($*)) dnl - ') - - -######################################## -## -## Define the specified domain as a TCP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# - define(`inetd_tcp_service_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inetd_tcp_service_domain'($*)) dnl - - - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inetd_tcp_service_domain'($*)) dnl - ') - - -######################################## -## -## Define the specified domain as a UDP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# - define(`inetd_udp_service_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inetd_udp_service_domain'($*)) dnl - - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:udp_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inetd_udp_service_domain'($*)) dnl - ') - - -######################################## -## -## Define the specified domain as a TCP and UDP inetd service. -## -## -## -## The type associated with the inetd service process. -## -## -## -## -## The type associated with the process program. -## -## -# - define(`inetd_service_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inetd_service_domain'($*)) dnl - - gen_require(` - type inetd_t; - ') - - inetd_core_service_domain($1, $2) - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; - allow $1 inetd_t:udp_socket rw_socket_perms; - - optional_policy(` - stunnel_service_domain($1, $2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inetd_service_domain'($*)) dnl - ') - - -######################################## -## -## Inherit and use inetd file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`inetd_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inetd_use_fds'($*)) dnl - - gen_require(` - type inetd_t; - ') - - allow $1 inetd_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inetd_use_fds'($*)) dnl - ') - - -######################################## -## -## Run inetd child process in the -## inet child domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`inetd_domtrans_child',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inetd_domtrans_child'($*)) dnl - - gen_require(` - type inetd_child_t, inetd_child_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, inetd_child_exec_t, inetd_child_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inetd_domtrans_child'($*)) dnl - ') - - -######################################## -## -## Read and write inetd TCP sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`inetd_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `inetd_rw_tcp_sockets'($*)) dnl - - gen_require(` - type inetd_t; - ') - - allow $1 inetd_t:tcp_socket rw_stream_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `inetd_rw_tcp_sockets'($*)) dnl - ') - -## Berkeley Internet name domain DNS server. - -######################################## -## -## Execute bind init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`bind_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_initrc_domtrans'($*)) dnl - - gen_require(` - type named_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, named_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute ndc in the ndc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`bind_domtrans_ndc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_domtrans_ndc'($*)) dnl - - gen_require(` - type ndc_t, ndc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ndc_exec_t, ndc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_domtrans_ndc'($*)) dnl - ') - - -######################################## -## -## Send generic signals to bind. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_signal'($*)) dnl - - gen_require(` - type named_t; - ') - - allow $1 named_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_signal'($*)) dnl - ') - - -######################################## -## -## Send null signals to bind. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_signull'($*)) dnl - - gen_require(` - type named_t; - ') - - allow $1 named_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_signull'($*)) dnl - ') - - -######################################## -## -## Send kill signals to bind. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_kill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_kill'($*)) dnl - - gen_require(` - type named_t; - ') - - allow $1 named_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_kill'($*)) dnl - ') - - -######################################## -## -## Execute ndc in the ndc domain, and -## allow the specified role the ndc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bind_run_ndc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_run_ndc'($*)) dnl - - gen_require(` - attribute_role ndc_roles; - ') - - bind_domtrans_ndc($1) - roleattribute $2 ndc_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_run_ndc'($*)) dnl - ') - - -######################################## -## -## Execute bind in the named domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`bind_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_domtrans'($*)) dnl - - gen_require(` - type named_t, named_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, named_exec_t, named_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_domtrans'($*)) dnl - ') - - -######################################## -## -## Read dnssec key files. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_read_dnssec_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_read_dnssec_keys'($*)) dnl - - gen_require(` - type named_conf_t, named_zone_t, dnssec_t; - ') - - read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_read_dnssec_keys'($*)) dnl - ') - - -######################################## -## -## Read bind named configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_read_config'($*)) dnl - - gen_require(` - type named_conf_t; - ') - - read_files_pattern($1, named_conf_t, named_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_read_config'($*)) dnl - ') - - -######################################## -## -## Write bind named configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_write_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_write_config'($*)) dnl - - gen_require(` - type named_conf_t; - ') - - write_files_pattern($1, named_conf_t, named_conf_t) - allow $1 named_conf_t:file setattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_write_config'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## bind configuration directories. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_manage_config_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_manage_config_dirs'($*)) dnl - - gen_require(` - type named_conf_t; - ') - - manage_dirs_pattern($1, named_conf_t, named_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_manage_config_dirs'($*)) dnl - ') - - -######################################## -## -## Search bind cache directories. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_search_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_search_cache'($*)) dnl - - gen_require(` - type named_conf_t, named_cache_t, named_zone_t; - ') - - files_search_var($1) - allow $1 named_conf_t:dir search_dir_perms; - allow $1 named_zone_t:dir search_dir_perms; - allow $1 named_cache_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_search_cache'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## bind cache files. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_manage_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_manage_cache'($*)) dnl - - gen_require(` - type named_cache_t, named_zone_t; - ') - - files_search_var($1) - allow $1 named_zone_t:dir search_dir_perms; - manage_files_pattern($1, named_cache_t, named_cache_t) - manage_lnk_files_pattern($1, named_cache_t, named_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_manage_cache'($*)) dnl - ') - - -######################################## -## -## Set attributes of bind pid directories. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_setattr_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_setattr_pid_dirs'($*)) dnl - - gen_require(` - type named_runtime_t; - ') - - allow $1 named_runtime_t:dir setattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_setattr_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Set attributes of bind zone directories. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_setattr_zone_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_setattr_zone_dirs'($*)) dnl - - gen_require(` - type named_zone_t; - ') - - allow $1 named_zone_t:dir setattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_setattr_zone_dirs'($*)) dnl - ') - - -######################################## -## -## Read bind zone files. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_read_zone',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_read_zone'($*)) dnl - - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - read_files_pattern($1, named_zone_t, named_zone_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_read_zone'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## bind zone files. -## -## -## -## Domain allowed access. -## -## -# - define(`bind_manage_zone',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_manage_zone'($*)) dnl - - gen_require(` - type named_zone_t; - ') - - files_search_var($1) - manage_files_pattern($1, named_zone_t, named_zone_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_manage_zone'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an bind environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`bind_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `bind_admin'($*)) dnl - - gen_require(` - type named_t, named_tmp_t, named_log_t; - type named_cache_t, named_zone_t, named_initrc_exec_t; - type dnssec_t, ndc_t, named_conf_t, named_runtime_t; - type named_keytab_t; - ') - - allow $1 { named_t ndc_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { named_t ndc_t }) - - init_startstop_service($1, $2, named_t, named_initrc_exec_t) - - files_list_tmp($1) - admin_pattern($1, named_tmp_t) - - logging_list_logs($1) - admin_pattern($1, named_log_t) - - files_list_etc($1) - admin_pattern($1, { named_keytab_t named_conf_t }) - - files_list_var($1) - admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) - - files_list_pids($1) - admin_pattern($1, named_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `bind_admin'($*)) dnl - ') - -## Devicekit modular hardware abstraction layer. - -######################################## -## -## Execute a domain transition to run devicekit. -## -## -## -## Domain allowed to transition. -## -## -# - define(`devicekit_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_domtrans'($*)) dnl - - gen_require(` - type devicekit_t, devicekit_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, devicekit_exec_t, devicekit_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_domtrans'($*)) dnl - ') - - -######################################## -## -## Send to devicekit over a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_dgram_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_dgram_send'($*)) dnl - - gen_require(` - type devicekit_t, devicekit_runtime_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, devicekit_runtime_t, devicekit_runtime_t, devicekit_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_dgram_send'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## devicekit over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat'($*)) dnl - - gen_require(` - type devicekit_t; - class dbus send_msg; - ') - - allow $1 devicekit_t:dbus send_msg; - allow devicekit_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## devicekit disk over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_dbus_chat_disk',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat_disk'($*)) dnl - - gen_require(` - type devicekit_disk_t; - class dbus send_msg; - ') - - allow $1 devicekit_disk_t:dbus send_msg; - allow devicekit_disk_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat_disk'($*)) dnl - ') - - -######################################## -## -## Send generic signals to devicekit power. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_signal_power',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_signal_power'($*)) dnl - - gen_require(` - type devicekit_power_t; - ') - - allow $1 devicekit_power_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_signal_power'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## devicekit power over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_dbus_chat_power',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat_power'($*)) dnl - - gen_require(` - type devicekit_power_t; - class dbus send_msg; - ') - - allow $1 devicekit_power_t:dbus send_msg; - allow devicekit_power_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat_power'($*)) dnl - ') - - -######################################## -## -## Use and inherit devicekit power -## file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_use_fds_power',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_use_fds_power'($*)) dnl - - gen_require(` - type devicekit_power_t; - ') - - allow $1 devicekit_power_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_use_fds_power'($*)) dnl - ') - - -######################################## -## -## Append inherited devicekit log files. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_append_inherited_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_append_inherited_log_files'($*)) dnl - - gen_require(` - type devicekit_var_log_t; - ') - - logging_search_logs($1) - allow $1 devicekit_var_log_t:file { getattr_file_perms append }; - - devicekit_use_fds_power($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_append_inherited_log_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## devicekit log files. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_manage_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_manage_log_files'($*)) dnl - - gen_require(` - type devicekit_var_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_manage_log_files'($*)) dnl - ') - - -######################################## -## -## Relabel devicekit log files. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_relabel_log_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_relabel_log_files'($*)) dnl - - gen_require(` - type devicekit_var_log_t; - ') - - logging_search_logs($1) - relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_relabel_log_files'($*)) dnl - ') - - -######################################## -## -## Read devicekit PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_read_pid_files'($*)) dnl - - gen_require(` - type devicekit_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, devicekit_runtime_t, devicekit_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## devicekit PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`devicekit_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_manage_pid_files'($*)) dnl - - gen_require(` - type devicekit_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, devicekit_runtime_t, devicekit_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an devicekit environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`devicekit_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `devicekit_admin'($*)) dnl - - gen_require(` - type devicekit_t, devicekit_disk_t, devicekit_power_t; - type devicekit_var_lib_t, devicekit_runtime_t, devicekit_tmp_t; - type devicekit_var_log_t; - ') - - allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) - - files_search_tmp($1) - admin_pattern($1, devicekit_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, devicekit_var_lib_t) - - logging_search_logs($1) - admin_pattern($1, devicekit_var_log_t) - - files_search_pids($1) - admin_pattern($1, devicekit_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `devicekit_admin'($*)) dnl - ') - -## GNOME color manager. - -######################################## -## -## Execute a domain transition to run colord. -## -## -## -## Domain allowed access. -## -## -# - define(`colord_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `colord_domtrans'($*)) dnl - - gen_require(` - type colord_t, colord_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, colord_exec_t, colord_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `colord_domtrans'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## colord over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`colord_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `colord_dbus_chat'($*)) dnl - - gen_require(` - type colord_t; - class dbus send_msg; - ') - - allow $1 colord_t:dbus send_msg; - allow colord_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `colord_dbus_chat'($*)) dnl - ') - - -###################################### -## -## Read colord lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`colord_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `colord_read_lib_files'($*)) dnl - - gen_require(` - type colord_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `colord_read_lib_files'($*)) dnl - ') - -## Line printer daemon. - -######################################## -## -## Role access for lpd. -## -## -## -## Role allowed access. -## -## -## -## -## User domain for the role. -## -## -# - define(`lpd_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_role'($*)) dnl - - gen_require(` - attribute_role lpr_roles; - type lpr_t, lpr_exec_t; - ') - - ######################################## - # - # Declarations - # - - roleattribute $1 lpr_roles; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, lpr_exec_t, lpr_t) - - allow $2 lpr_t:process { ptrace signal_perms }; - ps_process_pattern($2, lpr_t) - - dontaudit lpr_t $2:unix_stream_socket { read write }; - - optional_policy(` - cups_read_config($2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_role'($*)) dnl - ') - - -######################################## -## -## Execute lpd in the lpd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`lpd_domtrans_checkpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_domtrans_checkpc'($*)) dnl - - gen_require(` - type checkpc_t, checkpc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, checkpc_exec_t, checkpc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_domtrans_checkpc'($*)) dnl - ') - - -######################################## -## -## Execute amrecover in the lpd -## domain, and allow the specified -## role the lpd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`lpd_run_checkpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_run_checkpc'($*)) dnl - - gen_require(` - attribute_role checkpc_roles; - ') - - lpd_domtrans_checkpc($1) - roleattribute $2 checkpc_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_run_checkpc'($*)) dnl - ') - - -######################################## -## -## List printer spool directories. -## -## -## -## Domain allowed access. -## -## -# - define(`lpd_list_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_list_spool'($*)) dnl - - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - allow $1 print_spool_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_list_spool'($*)) dnl - ') - - -######################################## -## -## Read printer spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`lpd_read_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_read_spool'($*)) dnl - - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - read_files_pattern($1, print_spool_t, print_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_read_spool'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## printer spool content. -## -## -## -## Domain allowed access. -## -## -# - define(`lpd_manage_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_manage_spool'($*)) dnl - - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - manage_dirs_pattern($1, print_spool_t, print_spool_t) - manage_files_pattern($1, print_spool_t, print_spool_t) - manage_lnk_files_pattern($1, print_spool_t, print_spool_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_manage_spool'($*)) dnl - ') - - -######################################## -## -## Relabel spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`lpd_relabel_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_relabel_spool'($*)) dnl - - gen_require(` - type print_spool_t; - ') - - files_search_spool($1) - allow $1 print_spool_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_relabel_spool'($*)) dnl - ') - - -######################################## -## -## Read printer configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`lpd_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_read_config'($*)) dnl - - gen_require(` - type printconf_t; - ') - - allow $1 printconf_t:dir list_dir_perms; - read_files_pattern($1, printconf_t, printconf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_read_config'($*)) dnl - ') - - -######################################## -## -## Transition to a user lpr domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`lpd_domtrans_lpr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_domtrans_lpr'($*)) dnl - - gen_require(` - type lpr_t, lpr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, lpr_exec_t, lpr_t) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_domtrans_lpr'($*)) dnl - ') - - -######################################## -## -## Execute lpr in the lpr domain, and -## allow the specified role the lpr domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`lpd_run_lpr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_run_lpr'($*)) dnl - - gen_require(` - attribute_role lpr_roles; - ') - - lpd_domtrans_lpr($1) - roleattribute $2 lpr_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_run_lpr'($*)) dnl - ') - - -######################################## -## -## Execute lpr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`lpd_exec_lpr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lpd_exec_lpr'($*)) dnl - - gen_require(` - type lpr_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, lpr_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lpd_exec_lpr'($*)) dnl - ') - -## Qmail Mail Server. - -######################################## -## -## Template for qmail parent/sub-domain pairs. -## -## -## -## The prefix of the child domain. -## -## -## -## -## The name of the parent domain. -## -## -# - define(`qmail_child_domain_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qmail_child_domain_template'($*)) dnl - - gen_require(` - attribute qmail_child_domain; - ') - - ######################################## - # - # Declarations - # - - type $1_t, qmail_child_domain; - type $1_exec_t; - domain_type($1_t) - domain_entry_file($1_t, $1_exec_t) - - role system_r types $1_t; - - ######################################## - # - # Policy - # - - domtrans_pattern($2, $1_exec_t, $1_t) - - kernel_read_system_state($2) - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qmail_child_domain_template'($*)) dnl - ') - - -######################################## -## -## Transition to qmail_inject_t. -## -## -## -## Domain allowed to transition. -## -## -# - define(`qmail_domtrans_inject',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qmail_domtrans_inject'($*)) dnl - - gen_require(` - type qmail_inject_t, qmail_inject_exec_t; - ') - - domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) - - ifdef(`distro_debian',` - files_search_usr($1) - corecmd_search_bin($1) - ',` - files_search_var($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qmail_domtrans_inject'($*)) dnl - ') - - -######################################## -## -## Transition to qmail_queue_t. -## -## -## -## Domain allowed to transition. -## -## -# - define(`qmail_domtrans_queue',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qmail_domtrans_queue'($*)) dnl - - gen_require(` - type qmail_queue_t, qmail_queue_exec_t; - ') - - domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) - - ifdef(`distro_debian',` - files_search_usr($1) - corecmd_search_bin($1) - ',` - files_search_var($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qmail_domtrans_queue'($*)) dnl - ') - - -######################################## -## -## Read qmail configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`qmail_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qmail_read_config'($*)) dnl - - gen_require(` - type qmail_etc_t; - ') - - files_search_var($1) - allow $1 qmail_etc_t:dir list_dir_perms; - allow $1 qmail_etc_t:file read_file_perms; - allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; - - ifdef(`distro_debian',` - files_search_etc($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qmail_read_config'($*)) dnl - ') - - -######################################## -## -## Define the specified domain as a -## qmail-smtp service. -## -## -## -## Domain allowed access -## -## -## -## -## The type associated with the process program. -## -## -# - define(`qmail_smtpd_service_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `qmail_smtpd_service_domain'($*)) dnl - - gen_require(` - type qmail_smtpd_t; - ') - - domtrans_pattern(qmail_smtpd_t, $2, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `qmail_smtpd_service_domain'($*)) dnl - ') - -## Procmail mail delivery agent. - -######################################## -## -## Execute procmail with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`procmail_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `procmail_domtrans'($*)) dnl - - gen_require(` - type procmail_exec_t, procmail_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, procmail_exec_t, procmail_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `procmail_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute procmail in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`procmail_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `procmail_exec'($*)) dnl - - gen_require(` - type procmail_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, procmail_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `procmail_exec'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## procmail home files. -## -## -## -## Domain allowed access. -## -## -# - define(`procmail_manage_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `procmail_manage_home_files'($*)) dnl - - gen_require(` - type procmail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 procmail_home_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `procmail_manage_home_files'($*)) dnl - ') - - -######################################## -## -## Read procmail user home content files. -## -## -## -## Domain allowed access. -## -## -# - define(`procmail_read_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `procmail_read_home_files'($*)) dnl - - gen_require(` - type procmail_home_t; - - ') - - userdom_search_user_home_dirs($1) - allow $1 procmail_home_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `procmail_read_home_files'($*)) dnl - ') - - -######################################## -## -## Relabel procmail home files. -## -## -## -## Domain allowed access. -## -## -# - define(`procmail_relabel_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `procmail_relabel_home_files'($*)) dnl - - gen_require(` - type procmail_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 procmail_home_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `procmail_relabel_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in user home -## directories with the procmail home type. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`procmail_home_filetrans_procmail_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `procmail_home_filetrans_procmail_home'($*)) dnl - - gen_require(` - type procmail_home_t; - ') - - userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `procmail_home_filetrans_procmail_home'($*)) dnl - ') - - -######################################## -## -## Read procmail tmp files. -## -## -## -## Domain allowed access. -## -## -# - define(`procmail_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `procmail_read_tmp_files'($*)) dnl - - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) - allow $1 procmail_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `procmail_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read and write procmail tmp files. -## -## -## -## Domain allowed access. -## -## -# - define(`procmail_rw_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `procmail_rw_tmp_files'($*)) dnl - - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `procmail_rw_tmp_files'($*)) dnl - ') - -## Jockey driver manager. -## Open source implementation of the Service Availability Forum Hardware Platform Interface. - -######################################## -## -## All of the rules required to -## administrate an openhpi environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`openhpi_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `openhpi_admin'($*)) dnl - - gen_require(` - type openhpid_t, openhpid_initrc_exec_t, openhpid_var_lib_t; - type openhpid_runtime_t; - ') - - allow $1 openhpid_t:process { ptrace signal_perms }; - ps_process_pattern($1, openhpid_t) - - init_startstop_service($1, $2, openhpid_t, openhpid_initrc_exec_t) - - files_search_var_lib($1) - admin_pattern($1, openhpid_var_lib_t) - - files_search_pids($1) - admin_pattern($1, openhpid_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `openhpi_admin'($*)) dnl - ') - -## Concurrent versions system. - -######################################## -## -## Read CVS data and metadata content. -## -## -## -## Domain allowed access. -## -## -# - define(`cvs_read_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cvs_read_data'($*)) dnl - - gen_require(` - type cvs_data_t; - ') - - list_dirs_pattern($1, cvs_data_t, cvs_data_t) - read_files_pattern($1, cvs_data_t, cvs_data_t) - read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cvs_read_data'($*)) dnl - ') - - -######################################## -## -## Execute cvs in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`cvs_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cvs_exec'($*)) dnl - - gen_require(` - type cvs_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, cvs_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cvs_exec'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an cvs environment -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`cvs_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `cvs_admin'($*)) dnl - - gen_require(` - type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; - type cvs_data_t, cvs_runtime_t, cvs_keytab_t; - ') - - allow $1 cvs_t:process { ptrace signal_perms }; - ps_process_pattern($1, cvs_t) - - init_startstop_service($1, $2, cvs_t, cvs_initrc_exec_t) - - files_search_etc($1) - admin_pattern($1, cvs_keytab_t) - - files_list_tmp($1) - admin_pattern($1, cvs_tmp_t) - - files_search_usr($1) - admin_pattern($1, cvs_data_t) - - files_list_pids($1) - admin_pattern($1, cvs_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `cvs_admin'($*)) dnl - ') - -## File transfer protocol service. - -####################################### -## -## Execute a dyntransition to run anon sftpd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ftp_dyntrans_anon_sftpd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ftp_dyntrans_anon_sftpd'($*)) dnl - - gen_require(` - type anon_sftpd_t; - ') - - dyntrans_pattern($1, anon_sftpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ftp_dyntrans_anon_sftpd'($*)) dnl - ') - - -######################################## -## -## Read ftpd configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`ftp_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ftp_read_config'($*)) dnl - - gen_require(` - type ftpd_etc_t; - ') - - files_search_etc($1) - allow $1 ftpd_etc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ftp_read_config'($*)) dnl - ') - - -######################################## -## -## Execute FTP daemon entry point programs. -## -## -## -## Domain allowed access. -## -## -# - define(`ftp_check_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ftp_check_exec'($*)) dnl - - gen_require(` - type ftpd_exec_t; - ') - - corecmd_search_bin($1) - allow $1 ftpd_exec_t:file mmap_exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ftp_check_exec'($*)) dnl - ') - - -######################################## -## -## Read ftpd log files. -## -## -## -## Domain allowed access. -## -## -# - define(`ftp_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ftp_read_log'($*)) dnl - - gen_require(` - type xferlog_t; - ') - - logging_search_logs($1) - allow $1 xferlog_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ftp_read_log'($*)) dnl - ') - - -######################################## -## -## Execute the ftpdctl in the ftpdctl domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ftp_domtrans_ftpdctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ftp_domtrans_ftpdctl'($*)) dnl - - gen_require(` - type ftpdctl_t, ftpdctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ftp_domtrans_ftpdctl'($*)) dnl - ') - - -######################################## -## -## Execute the ftpdctl in the ftpdctl -## domain, and allow the specified -## role the ftpctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ftp_run_ftpdctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ftp_run_ftpdctl'($*)) dnl - - gen_require(` - attribute_role ftpdctl_roles; - ') - - ftp_domtrans_ftpdctl($1) - roleattribute $2 ftpdctl_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ftp_run_ftpdctl'($*)) dnl - ') - - -####################################### -## -## Execute a dyntransition to run sftpd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ftp_dyntrans_sftpd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ftp_dyntrans_sftpd'($*)) dnl - - gen_require(` - type sftpd_t; - ') - - dyntrans_pattern($1, sftpd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ftp_dyntrans_sftpd'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ftp environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ftp_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ftp_admin'($*)) dnl - - gen_require(` - type ftpd_t, ftpdctl_t, ftpd_tmp_t; - type ftpd_etc_t, ftpd_lock_t, sftpd_t; - type ftpd_runtime_t, xferlog_t, anon_sftpd_t; - type ftpd_initrc_exec_t, ftpdctl_tmp_t; - type ftpd_keytab_t; - ') - - allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) - - init_startstop_service($1, $2, ftpd_t, ftpd_initrc_exec_t) - - miscfiles_manage_public_files($1) - - files_list_tmp($1) - admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t }) - - files_list_etc($1) - admin_pattern($1, { ftpd_etc_t ftpd_keytab_t }) - - files_list_var($1) - admin_pattern($1, ftpd_lock_t) - - files_list_pids($1) - admin_pattern($1, ftpd_runtime_t) - - logging_list_logs($1) - admin_pattern($1, xferlog_t) - - ftp_run_ftpdctl($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ftp_admin'($*)) dnl - ') - -## Network scanning daemon. - -######################################## -## -## All of the rules required to -## administrate an nessus environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`nessus_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `nessus_admin'($*)) dnl - - gen_require(` - type nessusd_t, nessusd_db_t, nessusd_initrc_exec_t; - type nessusd_etc_t, nessusd_log_t, nessusd_runtime_t; - ') - - allow $1 nessusd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nessusd_t) - - init_startstop_service($1, $2, nessusd_t, nessusd_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, nessusd_log_t) - - files_search_etc($1) - admin_pattern($1, nessusd_etc_t) - - files_search_pids($1) - admin_pattern($1, nessusd_runtime_t) - - files_search_var_lib($1) - admin_pattern($1, nessusd_db_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `nessus_admin'($*)) dnl - ') - -## WireGuard VPN. - -######################################## -## -## Execute WireGuard in the wireguard domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`wireguard_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wireguard_domtrans'($*)) dnl - - gen_require(` - type wireguard_t, wireguard_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wireguard_exec_t, wireguard_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wireguard_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute WireGuard in the wireguard domain, and -## allow the specified role the wireguard domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`wireguard_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wireguard_run'($*)) dnl - - gen_require(` - attribute_role wireguard_roles; - ') - - wireguard_domtrans($1) - roleattribute $2 wireguard_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wireguard_run'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate a WireGuard -## environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`wireguard_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `wireguard_admin'($*)) dnl - - gen_require(` - type wireguard_t, wireguard_etc_t, wireguard_initrc_exec_t, wireguard_unit_t; - ') - - admin_process_pattern($1, wireguard_t) - - init_startstop_service($1, $2, wireguard_t, wireguard_initrc_exec_t, wireguard_unit_t) - - files_search_etc($1) - admin_pattern($1, wireguard_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `wireguard_admin'($*)) dnl - ') - -## Hardware abstraction layer. - -######################################## -## -## Execute hal in the hal domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hal_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_domtrans'($*)) dnl - - gen_require(` - type hald_t, hald_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hald_exec_t, hald_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_domtrans'($*)) dnl - ') - - -######################################## -## -## Get attributes of hald processes. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_getattr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_getattr'($*)) dnl - - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_getattr'($*)) dnl - ') - - -######################################## -## -## Read hal process state files. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_read_state'($*)) dnl - - gen_require(` - type hald_t; - ') - - ps_process_pattern($1, hald_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_read_state'($*)) dnl - ') - - -######################################## -## -## Trace hald processes. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_ptrace',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_ptrace'($*)) dnl - - gen_require(` - type hald_t; - ') - - allow $1 hald_t:process ptrace; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_ptrace'($*)) dnl - ') - - -######################################## -## -## Inherit and use hald file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_use_fds'($*)) dnl - - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherited -## and use hald file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`hal_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_dontaudit_use_fds'($*)) dnl - - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Read and write hald unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_rw_pipes'($*)) dnl - - gen_require(` - type hald_t; - ') - - allow $1 hald_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write hald unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`hal_dontaudit_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_dontaudit_rw_pipes'($*)) dnl - - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_dontaudit_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Send to hald over a unix domain -## datagram socket. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_dgram_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_dgram_send'($*)) dnl - - gen_require(` - type hald_t, hald_var_lib_t; - ') - - files_search_var_lib($1) - dgram_send_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_dgram_send'($*)) dnl - ') - - -######################################## -## -## Send to hald over a unix domain -## stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_stream_connect'($*)) dnl - - gen_require(` - type hald_t, hald_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, hald_var_lib_t, hald_var_lib_t, hald_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_stream_connect'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write hald unix datagram sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`hal_dontaudit_rw_dgram_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_dontaudit_rw_dgram_sockets'($*)) dnl - - gen_require(` - type hald_t; - ') - - dontaudit $1 hald_t:unix_dgram_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_dontaudit_rw_dgram_sockets'($*)) dnl - ') - - -######################################## -## -## Send messages to hald over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_dbus_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_dbus_send'($*)) dnl - - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_dbus_send'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## hald over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_dbus_chat'($*)) dnl - - gen_require(` - type hald_t; - class dbus send_msg; - ') - - allow $1 hald_t:dbus send_msg; - allow hald_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Execute hal mac in the hal mac domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hal_domtrans_mac',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_domtrans_mac'($*)) dnl - - gen_require(` - type hald_mac_t, hald_mac_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hald_mac_exec_t, hald_mac_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_domtrans_mac'($*)) dnl - ') - - -######################################## -## -## Write hald log files. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_write_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_write_log'($*)) dnl - - gen_require(` - type hald_log_t; - ') - - logging_search_logs($1) - write_files_pattern($1, hald_log_t, hald_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_write_log'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write hald -## log files. -## -## -## -## Domain to not audit. -## -## -# - define(`hal_dontaudit_write_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_dontaudit_write_log'($*)) dnl - - gen_require(` - type hald_log_t; - ') - - dontaudit $1 hald_log_t:file { append write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_dontaudit_write_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## hald log files. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_manage_log'($*)) dnl - - gen_require(` - type hald_log_t; - ') - - logging_search_logs($1) - manage_files_pattern($1, hald_log_t, hald_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_manage_log'($*)) dnl - ') - - -######################################## -## -## Read hald temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_read_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_read_tmp_files'($*)) dnl - - gen_require(` - type hald_tmp_t; - ') - - files_search_tmp($1) - allow $1 hald_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_read_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to append -## hald libraries files. -## -## -## -## Domain to not audit. -## -## -# - define(`hal_dontaudit_append_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_dontaudit_append_lib_files'($*)) dnl - - gen_require(` - type hald_var_lib_t; - ') - - dontaudit $1 hald_var_lib_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_dontaudit_append_lib_files'($*)) dnl - ') - - -######################################## -## -## Read hald pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_read_pid_files'($*)) dnl - - gen_require(` - type hald_runtime_t; - ') - - files_search_pids($1) - allow $1 hald_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_read_pid_files'($*)) dnl - ') - - -######################################## -## -## Read and write hald pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_rw_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_rw_pid_files'($*)) dnl - - gen_require(` - type hald_runtime_t; - ') - - files_search_pids($1) - allow $1 hald_runtime_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_rw_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## hald pid directories. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_manage_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_manage_pid_dirs'($*)) dnl - - gen_require(` - type hald_runtime_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, hald_runtime_t, hald_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_manage_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## hald pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`hal_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hal_manage_pid_files'($*)) dnl - - gen_require(` - type hald_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, hald_runtime_t, hald_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hal_manage_pid_files'($*)) dnl - ') - -## POP and IMAP mail server. - -####################################### -## -## Connect to dovecot using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`dovecot_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dovecot_stream_connect'($*)) dnl - - gen_require(` - type dovecot_t, dovecot_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dovecot_runtime_t, dovecot_runtime_t, dovecot_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dovecot_stream_connect'($*)) dnl - ') - - -######################################## -## -## Connect to dovecot using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -## -# - define(`dovecot_stream_connect_auth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dovecot_stream_connect_auth'($*)) dnl - - gen_require(` - type dovecot_auth_t, dovecot_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, dovecot_runtime_t, dovecot_runtime_t, dovecot_auth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dovecot_stream_connect_auth'($*)) dnl - ') - - -######################################## -## -## Execute dovecot_deliver in the -## dovecot_deliver domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`dovecot_domtrans_deliver',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dovecot_domtrans_deliver'($*)) dnl - - gen_require(` - type dovecot_deliver_t, dovecot_deliver_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dovecot_domtrans_deliver'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## dovecot spool files. -## -## -## -## Domain allowed access. -## -## -# - define(`dovecot_manage_spool',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dovecot_manage_spool'($*)) dnl - - gen_require(` - type dovecot_spool_t; - ') - - files_search_spool($1) - allow $1 dovecot_spool_t:dir manage_dir_perms; - allow $1 dovecot_spool_t:file manage_file_perms; - allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dovecot_manage_spool'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to delete -## dovecot lib files. -## -## -## -## Domain to not audit. -## -## -# - define(`dovecot_dontaudit_unlink_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dovecot_dontaudit_unlink_lib_files'($*)) dnl - - gen_require(` - type dovecot_var_lib_t; - ') - - dontaudit $1 dovecot_var_lib_t:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dovecot_dontaudit_unlink_lib_files'($*)) dnl - ') - - -###################################### -## -## Write inherited dovecot tmp files. -## -## -## -## Domain to not audit. -## -## -# - define(`dovecot_write_inherited_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dovecot_write_inherited_tmp_files'($*)) dnl - - gen_require(` - type dovecot_tmp_t; - ') - - allow $1 dovecot_tmp_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dovecot_write_inherited_tmp_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an dovecot environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`dovecot_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `dovecot_admin'($*)) dnl - - gen_require(` - type dovecot_t, dovecot_etc_t, dovecot_var_log_t; - type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; - type dovecot_runtime_t, dovecot_cert_t, dovecot_passwd_t; - type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; - type dovecot_keytab_t; - ') - - allow $1 dovecot_t:process { ptrace signal_perms }; - ps_process_pattern($1, dovecot_t) - - init_startstop_service($1, $2, dovecot_t, dovecot_initrc_exec_t) - - files_list_etc($1) - admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) - - logging_list_logs($1) - admin_pattern($1, dovecot_var_log_t) - - files_list_spool($1) - admin_pattern($1, dovecot_spool_t) - - files_search_tmp($1) - admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) - - files_list_var_lib($1) - admin_pattern($1, dovecot_var_lib_t) - - files_list_pids($1) - admin_pattern($1, dovecot_runtime_t) - - admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `dovecot_admin'($*)) dnl - ') - -## SELinux troubleshooting service. - -######################################## -## -## Connect to setroubleshootd with a -## unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`setroubleshoot_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setroubleshoot_stream_connect'($*)) dnl - - gen_require(` - type setroubleshootd_t, setroubleshoot_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, setroubleshoot_runtime_t, setroubleshoot_runtime_t, setroubleshootd_t) - allow $1 setroubleshoot_runtime_t:sock_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setroubleshoot_stream_connect'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to connect to -## setroubleshootd with a unix -## domain stream socket. -## -## -## -## Domain to not audit. -## -## -# - define(`setroubleshoot_dontaudit_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setroubleshoot_dontaudit_stream_connect'($*)) dnl - - gen_require(` - type setroubleshootd_t, setroubleshoot_runtime_t; - ') - - dontaudit $1 setroubleshoot_runtime_t:sock_file rw_sock_file_perms; - dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setroubleshoot_dontaudit_stream_connect'($*)) dnl - ') - - -####################################### -## -## Send null signals to setroubleshoot. -## -## -## -## Domain allowed access. -## -## -# - define(`setroubleshoot_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setroubleshoot_signull'($*)) dnl - - gen_require(` - type setroubleshootd_t; - ') - - allow $1 setroubleshootd_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setroubleshoot_signull'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## setroubleshoot over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`setroubleshoot_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setroubleshoot_dbus_chat'($*)) dnl - - gen_require(` - type setroubleshootd_t; - class dbus send_msg; - ') - - allow $1 setroubleshootd_t:dbus send_msg; - allow setroubleshootd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setroubleshoot_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Do not audit send and receive messages from -## setroubleshoot over dbus. -## -## -## -## Domain to not audit. -## -## -# - define(`setroubleshoot_dontaudit_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setroubleshoot_dontaudit_dbus_chat'($*)) dnl - - gen_require(` - type setroubleshootd_t; - class dbus send_msg; - ') - - dontaudit $1 setroubleshootd_t:dbus send_msg; - dontaudit setroubleshootd_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setroubleshoot_dontaudit_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## setroubleshoot fixit over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`setroubleshoot_dbus_chat_fixit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setroubleshoot_dbus_chat_fixit'($*)) dnl - - gen_require(` - type setroubleshoot_fixit_t; - class dbus send_msg; - ') - - allow $1 setroubleshoot_fixit_t:dbus send_msg; - allow setroubleshoot_fixit_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setroubleshoot_dbus_chat_fixit'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an setroubleshoot environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`setroubleshoot_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setroubleshoot_admin'($*)) dnl - - gen_require(` - type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t; - type setroubleshoot_var_lib_t, setroubleshoot_runtime_t; - ') - - allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t }) - - logging_list_logs($1) - admin_pattern($1, setroubleshoot_var_log_t) - - files_list_var_lib($1) - admin_pattern($1, setroubleshoot_var_lib_t) - - files_list_pids($1) - admin_pattern($1, setroubleshoot_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setroubleshoot_admin'($*)) dnl - ') - -## IRC servers. - -######################################## -## -## All of the rules required to -## administrate an ircd environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ircd_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ircd_admin'($*)) dnl - - gen_require(` - type ircd_t, ircd_initrc_exec_t, ircd_etc_t; - type ircd_log_t, ircd_var_lib_t, ircd_runtime_t; - ') - - init_startstop_service($1, $2, ircd_t, ircd_initrc_exec_t) - - allow $1 ircd_t:process { ptrace signal_perms }; - ps_process_pattern($1, ircd_t) - - files_search_etc($1) - admin_pattern($1, ircd_etc_t) - - logging_search_logs($1) - admin_pattern($1, ircd_log_t) - - files_search_var_lib($1) - admin_pattern($1, ircd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, ircd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ircd_admin'($*)) dnl - ') - -## SELinux MLS/MCS label translation service. - -######################################## -## -## Execute setrans server in the setrans domain. -## -## -## -## Domain allowed to transition. -## -## -# -# - define(`setrans_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setrans_initrc_domtrans'($*)) dnl - - gen_require(` - type setrans_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, setrans_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setrans_initrc_domtrans'($*)) dnl - ') - - -####################################### -## -## Allow a domain to translate contexts. (Deprecated) -## -## -## -## Domain allowed access. -## -## -# - define(`setrans_translate_context',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setrans_translate_context'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setrans_translate_context'($*)) dnl - ') - - -###################################### -## -## All of the rules required to -## administrate an setrans environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# - define(`setrans_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `setrans_admin'($*)) dnl - - gen_require(` - type setrans_t, setrans_initrc_exec_t; - type setrans_runtime_t, setrans_unit_t; - ') - - allow $1 setrans_t:process { ptrace signal_perms }; - ps_process_pattern($1, setrans_t) - - init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t) - - files_search_pids($1) - admin_pattern($1, setrans_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `setrans_admin'($*)) dnl - ') - -## Policy for the kernel message logger and system logging daemon. - -######################################## -## -## Make the specified type usable for log files -## in a filesystem. -## -## -##

-## Make the specified type usable for log files in a filesystem. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a log file type may result in problems with log -## rotation, log analysis, and log monitoring programs. -##

-##

-## Related interfaces: -##

-##
    -##
  • logging_log_filetrans()
    • -##
-##

-## Example usage with a domain that can create -## and append to a private log file stored in the -## general directories (e.g., /var/log): -##

-##

-## type mylogfile_t; -## logging_log_file(mylogfile_t) -## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; -## logging_log_filetrans(mydomain_t, mylogfile_t, file) -##

-## -## -## -## Type to be used for files. -## -## -## -# - define(`logging_log_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_log_file'($*)) dnl - - gen_require(` - attribute logfile; - ') - - files_type($1) - files_associate_tmp($1) - fs_associate_tmpfs($1) - typeattribute $1 logfile; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_log_file'($*)) dnl - ') - - -####################################### -## -## Send audit messages. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_send_audit_msgs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_send_audit_msgs'($*)) dnl - - allow $1 self:capability audit_write; - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_send_audit_msgs'($*)) dnl - ') - - -####################################### -## -## dontaudit attempts to send audit messages. -## -## -## -## Domain to not audit. -## -## -# - define(`logging_dontaudit_send_audit_msgs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_dontaudit_send_audit_msgs'($*)) dnl - - dontaudit $1 self:capability audit_write; - dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_dontaudit_send_audit_msgs'($*)) dnl - ') - - -######################################## -## -## Set login uid -## -## -## -## Domain allowed access. -## -## -# - define(`logging_set_loginuid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_set_loginuid'($*)) dnl - - allow $1 self:capability audit_control; - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_set_loginuid'($*)) dnl - ') - - -######################################## -## -## Set tty auditing -## -## -## -## Domain allowed access. -## -## -# - define(`logging_set_tty_audit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_set_tty_audit'($*)) dnl - - allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_set_tty_audit'($*)) dnl - ') - - -######################################## -## -## Set up audit -## -## -## -## Domain allowed access. -## -## -# - define(`logging_set_audit_parameters',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_set_audit_parameters'($*)) dnl - - allow $1 self:capability { audit_control audit_write }; - allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_set_audit_parameters'($*)) dnl - ') - - -######################################## -## -## Read the audit log. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_read_audit_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_read_audit_log'($*)) dnl - - gen_require(` - type auditd_log_t; - ') - - files_search_var($1) - read_files_pattern($1, auditd_log_t, auditd_log_t) - allow $1 auditd_log_t:dir list_dir_perms; - - dontaudit $1 auditd_log_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_read_audit_log'($*)) dnl - ') - - -######################################## -## -## Execute auditctl in the auditctl domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`logging_domtrans_auditctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_domtrans_auditctl'($*)) dnl - - gen_require(` - type auditctl_t, auditctl_exec_t; - ') - - domtrans_pattern($1, auditctl_exec_t, auditctl_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_domtrans_auditctl'($*)) dnl - ') - - -######################################## -## -## Execute auditctl in the auditctl domain, and -## allow the specified role the auditctl domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`logging_run_auditctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_run_auditctl'($*)) dnl - - gen_require(` - type auditctl_t; - ') - - logging_domtrans_auditctl($1) - role $2 types auditctl_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_run_auditctl'($*)) dnl - ') - - -######################################## -## -## Execute auditd in the auditd domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`logging_domtrans_auditd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_domtrans_auditd'($*)) dnl - - gen_require(` - type auditd_t, auditd_exec_t; - ') - - domtrans_pattern($1, auditd_exec_t, auditd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_domtrans_auditd'($*)) dnl - ') - - -######################################## -## -## Execute auditd in the auditd domain, and -## allow the specified role the auditd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`logging_run_auditd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_run_auditd'($*)) dnl - - gen_require(` - type auditd_t; - ') - - logging_domtrans_auditd($1) - role $2 types auditd_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_run_auditd'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run the audit dispatcher. -## -## -## -## Domain allowed to transition. -## -## -# - define(`logging_domtrans_dispatcher',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_domtrans_dispatcher'($*)) dnl - - gen_require(` - type audisp_t, audisp_exec_t; - ') - - domtrans_pattern($1, audisp_exec_t, audisp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_domtrans_dispatcher'($*)) dnl - ') - - -######################################## -## -## Signal the audit dispatcher. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_signal_dispatcher',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_signal_dispatcher'($*)) dnl - - gen_require(` - type audisp_t; - ') - - allow $1 audisp_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_signal_dispatcher'($*)) dnl - ') - - -######################################## -## -## Create a domain for processes -## which can be started by the system audit dispatcher -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# - define(`logging_dispatcher_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_dispatcher_domain'($*)) dnl - - gen_require(` - type audisp_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(audisp_t, $2, $1) - allow audisp_t $1:process { sigkill sigstop signull signal }; - - allow audisp_t $2:file getattr; - allow $1 audisp_t:unix_stream_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_dispatcher_domain'($*)) dnl - ') - - -######################################## -## -## Connect to the audit dispatcher over an unix stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_stream_connect_dispatcher',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_stream_connect_dispatcher'($*)) dnl - - gen_require(` - type audisp_t, audisp_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, audisp_runtime_t, audisp_runtime_t, audisp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_stream_connect_dispatcher'($*)) dnl - ') - - -######################################## -## -## Manage the auditd configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_manage_audit_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_manage_audit_config'($*)) dnl - - gen_require(` - type auditd_etc_t; - ') - - files_search_etc($1) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) - - dontaudit $1 auditd_etc_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_manage_audit_config'($*)) dnl - ') - - -######################################## -## -## Manage the audit log. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_manage_audit_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_manage_audit_log'($*)) dnl - - gen_require(` - type auditd_log_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, auditd_log_t, auditd_log_t) - manage_files_pattern($1, auditd_log_t, auditd_log_t) - - dontaudit $1 auditd_log_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_manage_audit_log'($*)) dnl - ') - - -######################################## -## -## Execute klogd in the klog domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`logging_domtrans_klog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_domtrans_klog'($*)) dnl - - gen_require(` - type klogd_t, klogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, klogd_exec_t, klogd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_domtrans_klog'($*)) dnl - ') - - -######################################## -## -## Check if syslogd is executable. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_check_exec_syslog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_check_exec_syslog'($*)) dnl - - gen_require(` - type syslogd_exec_t; - ') - - corecmd_list_bin($1) - allow $1 syslogd_exec_t:file execute; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_check_exec_syslog'($*)) dnl - ') - - -######################################## -## -## Execute syslogd in the syslog domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`logging_domtrans_syslog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_domtrans_syslog'($*)) dnl - - gen_require(` - type syslogd_t, syslogd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, syslogd_exec_t, syslogd_t) - ifdef(`enable_mls',` - range_transition $1 syslogd_exec_t:process mls_systemhigh; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_domtrans_syslog'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to check status of syslog unit -## -## -## -## Domain allowed access. -## -## -# - define(`logging_status_syslog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_status_syslog'($*)) dnl - - gen_require(` - type syslogd_unit_t; - class service status; - ') - - allow $1 syslogd_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_status_syslog'($*)) dnl - ') - - -######################################## -## -## Set the attributes of syslog temporary files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_setattr_syslogd_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_setattr_syslogd_tmp_files'($*)) dnl - - gen_require(` - type syslogd_tmp_t; - ') - - allow $1 syslogd_tmp_t:file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_setattr_syslogd_tmp_files'($*)) dnl - ') - - -######################################## -## -## Relabel to and from syslog temporary file type. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_relabel_syslogd_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_relabel_syslogd_tmp_files'($*)) dnl - - gen_require(` - type syslogd_tmp_t; - ') - - allow $1 syslogd_tmp_t:file { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_relabel_syslogd_tmp_files'($*)) dnl - ') - - -######################################## -## -## Set the attributes of syslog temporary directories. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_setattr_syslogd_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_setattr_syslogd_tmp_dirs'($*)) dnl - - gen_require(` - type syslogd_tmp_t; - ') - - allow $1 syslogd_tmp_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_setattr_syslogd_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to and from syslog temporary directory type. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_relabel_syslogd_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_relabel_syslogd_tmp_dirs'($*)) dnl - - gen_require(` - type syslogd_tmp_t; - ') - - allow $1 syslogd_tmp_t:dir { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_relabel_syslogd_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Create an object in the log directory, with a private type. -## -## -##

-## Allow the specified domain to create an object -## in the general system log directories (e.g., /var/log) -## with a private type. Typically this is used for creating -## private log files in /var/log with the private type instead -## of the general system log type. To accomplish this goal, -## either the program must be SELinux-aware, or use this interface. -##

-##

-## Related interfaces: -##

-##
    -##
  • logging_log_file()
    • -##
-##

-## Example usage with a domain that can create -## and append to a private log file stored in the -## general directories (e.g., /var/log): -##

-##

-## type mylogfile_t; -## logging_log_file(mylogfile_t) -## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; -## logging_log_filetrans(mydomain_t, mylogfile_t, file) -##

-## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -## -# - define(`logging_log_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_log_filetrans'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - filetrans_pattern($1, var_log_t, $2, $3, $4) - allow $1 var_log_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_log_filetrans'($*)) dnl - ') - - -######################################## -## -## Send system log messages. -## -## -##

-## Allow the specified domain to connect to the -## system log service (syslog), to send messages be added to -## the system logs. Typically this is used by services -## that do not have their own log file in /var/log. -##

-##

-## This does not allow messages to be sent to -## the auditing system. -##

-##

-## Programs which use the libc function syslog() will -## require this access. -##

-##

-## Related interfaces: -##

-##
    -##
  • logging_send_audit_msgs()
    • -##
-## -## -## -## Domain allowed access. -## -## -# - define(`logging_send_syslog_msg',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_send_syslog_msg'($*)) dnl - - gen_require(` - type syslogd_t, syslogd_runtime_t, devlog_t; - ') - - allow $1 devlog_t:sock_file write_sock_file_perms; - - # systemd journal socket is in /run/systemd/journal/dev-log - init_search_run($1) - allow $1 syslogd_runtime_t:dir search_dir_perms; - - # the type of socket depends on the syslog daemon - allow $1 syslogd_t:unix_dgram_socket sendto; - allow $1 syslogd_t:unix_stream_socket connectto; - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 self:unix_stream_socket create_socket_perms; - - # If syslog is down, the glibc syslog() function - # will write to the console. - term_write_console($1) - term_dontaudit_read_console($1) - - ifdef(`init_systemd',` - # Allow systemd-journald to check whether the process died - allow syslogd_t $1:process signull; - - ifdef(`distro_redhat',` - kernel_dgram_send($1) - ') - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_send_syslog_msg'($*)) dnl - ') - - -######################################## -## -## Allow domain to relabelto devlog sock_files -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_relabelto_devlog_sock_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_relabelto_devlog_sock_files'($*)) dnl - - gen_require(` - type devlog_t; - ') - - allow $1 devlog_t:sock_file relabelto_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_relabelto_devlog_sock_files'($*)) dnl - ') - - -######################################## -## -## Connect to the syslog control unix stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_create_devlog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_create_devlog'($*)) dnl - - gen_require(` - type devlog_t; - ') - - allow $1 devlog_t:sock_file manage_sock_file_perms; - dev_filetrans($1, devlog_t, sock_file) - init_pid_filetrans($1, devlog_t, sock_file, "syslog") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_create_devlog'($*)) dnl - ') - - -######################################## -## -## Read the auditd configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_read_audit_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_read_audit_config'($*)) dnl - - gen_require(` - type auditd_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, auditd_etc_t, auditd_etc_t) - allow $1 auditd_etc_t:dir list_dir_perms; - - dontaudit $1 auditd_etc_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_read_audit_config'($*)) dnl - ') - - -######################################## -## -## dontaudit search of auditd configuration files. -## -## -## -## Domain to not audit. -## -## -## -# - define(`logging_dontaudit_search_audit_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_audit_config'($*)) dnl - - gen_require(` - type auditd_etc_t; - ') - - dontaudit $1 auditd_etc_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_audit_config'($*)) dnl - ') - - -######################################## -## -## Read syslog configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_read_syslog_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_read_syslog_config'($*)) dnl - - gen_require(` - type syslog_conf_t; - ') - - allow $1 syslog_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_read_syslog_config'($*)) dnl - ') - - -######################################## -## -## Watch syslog runtime dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_watch_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_watch_runtime_dirs'($*)) dnl - - gen_require(` - type syslogd_runtime_t; - ') - - allow $1 syslogd_runtime_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_watch_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Delete the syslog socket files -## -## -## -## Domain allowed access -## -## -## -# - define(`logging_delete_devlog_socket',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_delete_devlog_socket'($*)) dnl - - gen_require(` - type devlog_t; - ') - - allow $1 devlog_t:sock_file unlink; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_delete_devlog_socket'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete syslog PID sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_manage_pid_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_manage_pid_sockets'($*)) dnl - - gen_require(` - type syslogd_runtime_t; - ') - - manage_sock_files_pattern($1, syslogd_runtime_t, syslogd_runtime_t) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_manage_pid_sockets'($*)) dnl - ') - - -######################################## -## -## Allows the domain to open a file in the -## log directory, but does not allow the listing -## of the contents of the log directory. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_search_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_search_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir search_dir_perms; - allow $1 var_log_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_search_logs'($*)) dnl - ') - - -####################################### -## -## Do not audit attempts to search the var log directory. -## -## -## -## Domain not to audit. -## -## -# - define(`logging_dontaudit_search_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - dontaudit $1 var_log_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_logs'($*)) dnl - ') - - -####################################### -## -## List the contents of the generic log directory (/var/log). -## -## -## -## Domain allowed access. -## -## -# - define(`logging_list_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_list_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - allow $1 var_log_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_list_logs'($*)) dnl - ') - - -####################################### -## -## Read and write the generic log directory (/var/log). -## -## -## -## Domain allowed access. -## -## -# - define(`logging_rw_generic_log_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_rw_generic_log_dirs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir rw_dir_perms; - allow $1 var_log_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_rw_generic_log_dirs'($*)) dnl - ') - - -####################################### -## -## Search through all log dirs. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_search_all_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_search_all_logs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - allow $1 logfile:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_search_all_logs'($*)) dnl - ') - - -####################################### -## -## Set attributes on all log dirs. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_setattr_all_log_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_setattr_all_log_dirs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - allow $1 logfile:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_setattr_all_log_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of any log files. -## -## -## -## Domain to not audit. -## -## -# - define(`logging_dontaudit_getattr_all_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_dontaudit_getattr_all_logs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - dontaudit $1 logfile:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_dontaudit_getattr_all_logs'($*)) dnl - ') - - -######################################## -## -## Read the atttributes of any log file -## -## -## -## Domain allowed access -## -## -# - define(`logging_getattr_all_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_getattr_all_logs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - allow $1 logfile:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_getattr_all_logs'($*)) dnl - ') - - -######################################## -## -## Append to all log files. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_append_all_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_append_all_logs'($*)) dnl - - gen_require(` - attribute logfile; - type var_log_t; - ') - - files_search_var($1) - append_files_pattern($1, var_log_t, logfile) - allow $1 var_log_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_append_all_logs'($*)) dnl - ') - - -######################################## -## -## Append to all log files. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_append_all_inherited_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_append_all_inherited_logs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - allow $1 logfile:file { getattr append ioctl lock }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_append_all_inherited_logs'($*)) dnl - ') - - -######################################## -## -## Read all log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_read_all_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_read_all_logs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; - read_files_pattern($1, logfile, logfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_read_all_logs'($*)) dnl - ') - - -######################################## -## -## Execute all log files in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -# cjp: not sure why this is needed. This was added -# because of logrotate. - define(`logging_exec_all_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_exec_all_logs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; - can_exec($1, logfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_exec_all_logs'($*)) dnl - ') - - -######################################## -## -## read/write to all log files. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_rw_all_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_rw_all_logs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - files_search_var($1) - rw_files_pattern($1, logfile, logfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_rw_all_logs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete all log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_manage_all_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_manage_all_logs'($*)) dnl - - gen_require(` - attribute logfile; - ') - - files_search_var($1) - manage_files_pattern($1, logfile, logfile) - read_lnk_files_pattern($1, logfile, logfile) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_manage_all_logs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete generic log directories. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_manage_generic_log_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_manage_generic_log_dirs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_manage_generic_log_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel from and to generic log directory type. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_relabel_generic_log_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_relabel_generic_log_dirs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_relabel_generic_log_dirs'($*)) dnl - ') - - -######################################## -## -## Read generic log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_read_generic_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_read_generic_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - read_files_pattern($1, var_log_t, var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_read_generic_logs'($*)) dnl - ') - - -######################################## -## -## Map generic log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_mmap_generic_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_mmap_generic_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - allow $1 var_log_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_mmap_generic_logs'($*)) dnl - ') - - -######################################## -## -## Write generic log files. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_write_generic_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_write_generic_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - write_files_pattern($1, var_log_t, var_log_t) - allow $1 var_log_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_write_generic_logs'($*)) dnl - ') - - -######################################## -## -## Dontaudit Write generic log files. -## -## -## -## Domain to not audit. -## -## -# - define(`logging_dontaudit_write_generic_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_dontaudit_write_generic_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - dontaudit $1 var_log_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_dontaudit_write_generic_logs'($*)) dnl - ') - - -######################################## -## -## Read and write generic log files. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_rw_generic_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_rw_generic_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - rw_files_pattern($1, var_log_t, var_log_t) - allow $1 var_log_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_rw_generic_logs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## generic log files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`logging_manage_generic_logs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_manage_generic_logs'($*)) dnl - - gen_require(` - type var_log_t; - ') - - files_search_var($1) - manage_files_pattern($1, var_log_t, var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_manage_generic_logs'($*)) dnl - ') - - -######################################## -## -## All of the rules required to administrate -## the audit environment -## -## -## -## Domain allowed access. -## -## -## -## -## User role allowed access. -## -## -## -# - define(`logging_admin_audit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_admin_audit'($*)) dnl - - gen_require(` - type auditd_t, auditd_etc_t, auditd_log_t; - type auditd_runtime_t; - type auditd_initrc_exec_t, auditd_unit_t; - ') - - allow $1 auditd_t:process { ptrace signal_perms }; - ps_process_pattern($1, auditd_t) - - manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) - - manage_dirs_pattern($1, auditd_log_t, auditd_log_t) - manage_files_pattern($1, auditd_log_t, auditd_log_t) - - manage_dirs_pattern($1, auditd_runtime_t, auditd_runtime_t) - manage_files_pattern($1, auditd_runtime_t, auditd_runtime_t) - - logging_run_auditctl($1, $2) - - init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t) - - dontaudit $1 auditd_etc_t:file map; - dontaudit $1 auditd_log_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_admin_audit'($*)) dnl - ') - - -######################################## -## -## All of the rules required to administrate -## the syslog environment -## -## -## -## Domain allowed access. -## -## -## -## -## User role allowed access. -## -## -## -# - define(`logging_admin_syslog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_admin_syslog'($*)) dnl - - gen_require(` - type syslogd_t, klogd_t, syslog_conf_t; - type syslogd_tmp_t, syslogd_var_lib_t; - type syslogd_runtime_t, klogd_runtime_t; - type klogd_tmp_t; - type syslogd_initrc_exec_t, syslogd_unit_t; - ') - - allow $1 syslogd_t:process { ptrace signal_perms }; - allow $1 klogd_t:process { ptrace signal_perms }; - ps_process_pattern($1, syslogd_t) - ps_process_pattern($1, klogd_t) - - manage_dirs_pattern($1, klogd_runtime_t, klogd_runtime_t) - manage_files_pattern($1, klogd_runtime_t, klogd_runtime_t) - - manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t) - manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t) - - manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t) - manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t) - - manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) - manage_files_pattern($1, syslog_conf_t, syslog_conf_t) - files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") - files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") - - manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) - manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) - - manage_dirs_pattern($1, syslogd_runtime_t, syslogd_runtime_t) - manage_files_pattern($1, syslogd_runtime_t, syslogd_runtime_t) - - logging_manage_all_logs($1) - - init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_admin_syslog'($*)) dnl - ') - - -######################################## -## -## All of the rules required to administrate -## the logging environment -## -## -## -## Domain allowed access. -## -## -## -## -## User role allowed access. -## -## -## -# - define(`logging_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_admin'($*)) dnl - - logging_admin_audit($1, $2) - logging_admin_syslog($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_admin'($*)) dnl - ') - - -######################################## -## -## Mark the type as a syslog managed log file -## and introduce the proper file transition when -## created by the system logger in the generic -## log directory -## -## -## -## Type to mark as a syslog managed log file -## -## -## -## -## Name to use for the file -## -## -# - define(`logging_syslog_managed_log_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_syslog_managed_log_file'($*)) dnl - - gen_require(` - attribute syslogmanaged; - type syslogd_t; - ') - - typeattribute $1 syslogmanaged; - - logging_log_file($1) - logging_log_filetrans(syslogd_t, $1, file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_syslog_managed_log_file'($*)) dnl - ') - - -######################################## -## -## Mark the type as a syslog managed log dir -## and introduce the proper file transition when -## created by the system logger in the generic -## log directory -## -## -##

-## Once set, the system logger is able to fully -## manage files and directory of the given type. -## You do not need to use logging_syslog_managed_file -## anymore (unless a file name transition is needed -## for that as well). -##

-## -## -## -## Type to mark as a syslog managed log dir -## -## -## -## -## Name to use for the directory -## -## -# - define(`logging_syslog_managed_log_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_syslog_managed_log_dir'($*)) dnl - - gen_require(` - attribute syslogmanaged; - type syslogd_t; - ') - - typeattribute $1 syslogmanaged; - - logging_log_file($1) - logging_log_filetrans(syslogd_t, $1, dir, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_syslog_managed_log_dir'($*)) dnl - ') - - -####################################### -## -## Map files in /run/log/journal/ directory. -## -## -## -## Domain allowed access. -## -## -# - define(`logging_mmap_journal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `logging_mmap_journal'($*)) dnl - - gen_require(` - type syslogd_runtime_t; - ') - - allow $1 syslogd_runtime_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `logging_mmap_journal'($*)) dnl - ') - -## Systemd components (not PID 1) - -######################################### -## -## Template for systemd --user per-role domains. -## -## -## -## Prefix for generated types -## -## -## -## -## The user role. -## -## -## -## -## The user domain for the role. -## -## -# - define(`systemd_role_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_role_template'($*)) dnl - - gen_require(` - attribute systemd_user_session_type, systemd_log_parse_env_type; - type systemd_user_runtime_t, systemd_user_runtime_notify_t; - ') - - ################################# - # - # Declarations - # - type $1_systemd_t, systemd_user_session_type, systemd_log_parse_env_type; - init_pgm_spec_user_daemon_domain($1_systemd_t) - domain_user_exemption_target($1_systemd_t) - ubac_constrained($1_systemd_t) - role $2 types $1_systemd_t; - - ################################# - # - # Local policy - # - - allow $3 systemd_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; - allow $3 systemd_user_runtime_t:file { manage_file_perms relabel_file_perms }; - allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; - allow $3 systemd_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - - # This domain is per-role because of the below transitions. - # See the sytemd --user section of systemd.te for the - # remainder of the rules. - allow $1_systemd_t $3:process { setsched rlimitinh }; - corecmd_shell_domtrans($1_systemd_t, $3) - corecmd_bin_domtrans($1_systemd_t, $3) - - # Allow using file descriptors for user environment generators - allow $3 $1_systemd_t:fd use; - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_role_template'($*)) dnl - ') - - -###################################### -## -## Make the specified type usable as an -## log parse environment type. -## -## -## -## Type to be used as a log parse environment type. -## -## -# - define(`systemd_log_parse_environment',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_log_parse_environment'($*)) dnl - - gen_require(` - attribute systemd_log_parse_env_type; - ') - - typeattribute $1 systemd_log_parse_env_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_log_parse_environment'($*)) dnl - ') - - -###################################### -## -## Allow domain to use systemd's Name Service Switch (NSS) module. -## This module provides UNIX user and group name resolution for dynamic users -## and groups allocated through the DynamicUser= option in systemd unit files -## -## -## -## Domain allowed access -## -## -# - define(`systemd_use_nss',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_use_nss'($*)) dnl - - gen_require(` - type systemd_conf_t; - ') - - # Get attributes of /etc/systemd/dont-synthesize-nobody - files_search_etc($1) - allow $1 systemd_conf_t:file getattr; - - optional_policy(` - dbus_system_bus_client($1) - # For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager - init_dbus_chat($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_use_nss'($*)) dnl - ') - - -###################################### -## -## Allow domain to be used as a systemd service with a unit -## that uses PrivateDevices=yes in section [Service]. -## -## -## -## Domain allowed access -## -## -# - define(`systemd_PrivateDevices',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_PrivateDevices'($*)) dnl - - # For services using PrivateDevices, systemd mounts a dedicated - # tmpfs filesystem for the /dev, which gets label tmpfs_t. - # Allow to traverse /dev and to read symlinks in /dev (for example /dev/log) - fs_read_tmpfs_symlinks($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_PrivateDevices'($*)) dnl - ') - - -####################################### -## -## Allow domain to read udev hwdb file -## -## -## -## domain allowed access -## -## -# - define(`systemd_read_hwdb',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_hwdb'($*)) dnl - - gen_require(` - type systemd_hwdb_t; - ') - - read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_hwdb'($*)) dnl - ') - - -####################################### -## -## Allow domain to map udev hwdb file -## -## -## -## domain allowed access -## -## -# - define(`systemd_map_hwdb',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_map_hwdb'($*)) dnl - - gen_require(` - type systemd_hwdb_t; - ') - - allow $1 systemd_hwdb_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_map_hwdb'($*)) dnl - ') - - -###################################### -## -## Read systemd_login PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_read_logind_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_logind_pids'($*)) dnl - - gen_require(` - type systemd_logind_runtime_t; - ') - - files_search_pids($1) - allow $1 systemd_logind_runtime_t:dir list_dir_perms; - allow $1 systemd_logind_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_logind_pids'($*)) dnl - ') - - -###################################### -## -## Manage systemd_login PID pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_manage_logind_pid_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_manage_logind_pid_pipes'($*)) dnl - - gen_require(` - type systemd_logind_runtime_t; - ') - - files_search_pids($1) - manage_fifo_files_pattern($1, systemd_logind_runtime_t, systemd_logind_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_manage_logind_pid_pipes'($*)) dnl - ') - - -###################################### -## -## Write systemd_login named pipe. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_write_logind_pid_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_write_logind_pid_pipes'($*)) dnl - - gen_require(` - type systemd_logind_runtime_t; - ') - - init_search_run($1) - files_search_pids($1) - allow $1 systemd_logind_runtime_t:fifo_file { getattr write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_write_logind_pid_pipes'($*)) dnl - ') - - -###################################### -## -## Use inherited systemd -## logind file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_use_logind_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_use_logind_fds'($*)) dnl - - gen_require(` - type systemd_logind_t; - ') - - allow $1 systemd_logind_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_use_logind_fds'($*)) dnl - ') - - -###################################### -## -## Read logind sessions files. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_read_logind_sessions_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_logind_sessions_files'($*)) dnl - - gen_require(` - type systemd_sessions_runtime_t, systemd_logind_t; - ') - - allow $1 systemd_logind_t:fd use; - init_search_run($1) - allow $1 systemd_sessions_runtime_t:dir list_dir_perms; - read_files_pattern($1, systemd_sessions_runtime_t, systemd_sessions_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_logind_sessions_files'($*)) dnl - ') - - -###################################### -## -## Write inherited logind sessions pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_write_inherited_logind_sessions_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_write_inherited_logind_sessions_pipes'($*)) dnl - - gen_require(` - type systemd_logind_t, systemd_sessions_runtime_t; - ') - - allow $1 systemd_logind_t:fd use; - allow $1 systemd_sessions_runtime_t:fifo_file write; - allow systemd_logind_t $1:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_write_inherited_logind_sessions_pipes'($*)) dnl - ') - - -###################################### -## -## Write inherited logind inhibit pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_write_inherited_logind_inhibit_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_write_inherited_logind_inhibit_pipes'($*)) dnl - - gen_require(` - type systemd_logind_inhibit_runtime_t; - type systemd_logind_t; - ') - - allow $1 systemd_logind_t:fd use; - allow $1 systemd_logind_inhibit_runtime_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_write_inherited_logind_inhibit_pipes'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## systemd logind over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_dbus_chat_logind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_logind'($*)) dnl - - gen_require(` - type systemd_logind_t; - class dbus send_msg; - ') - - allow $1 systemd_logind_t:dbus send_msg; - allow systemd_logind_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_logind'($*)) dnl - ') - - -######################################## -## -## Allow process to write to systemd_kmod_conf_t. -## -## -## -## Domain allowed access. -## -## -## -# - define(`systemd_write_kmod_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_write_kmod_files'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_write_kmod_files'($*)) dnl - ') - - -######################################## -## -## Get the system status information from systemd_login -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_status_logind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_status_logind'($*)) dnl - - gen_require(` - type systemd_logind_t; - class service status; - ') - - allow $1 systemd_logind_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_status_logind'($*)) dnl - ') - - -######################################## -## -## Send systemd_login a null signal. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_signull_logind',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_signull_logind'($*)) dnl - - gen_require(` - type systemd_logind_t; - ') - - allow $1 systemd_logind_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_signull_logind'($*)) dnl - ') - - -######################################## -## -## Allow reading /run/systemd/machines -## -## -## -## Domain that can access the machines files -## -## -# - define(`systemd_read_machines',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_machines'($*)) dnl - - gen_require(` - type systemd_machined_runtime_t; - ') - - allow $1 systemd_machined_runtime_t:dir list_dir_perms; - allow $1 systemd_machined_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_machines'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## systemd hostnamed over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_dbus_chat_hostnamed',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_hostnamed'($*)) dnl - - gen_require(` - type systemd_hostnamed_t; - class dbus send_msg; - ') - - allow $1 systemd_hostnamed_t:dbus send_msg; - allow systemd_hostnamed_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_hostnamed'($*)) dnl - ') - - -######################################## -## -## allow systemd_passwd_agent to inherit fds -## -## -## -## Domain that owns the fds -## -## -# - define(`systemd_use_passwd_agent_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_use_passwd_agent_fds'($*)) dnl - - gen_require(` - type systemd_passwd_agent_t; - ') - - allow systemd_passwd_agent_t $1:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_use_passwd_agent_fds'($*)) dnl - ') - - -####################################### -## -## Allow a systemd_passwd_agent_t process to interact with a daemon -## that needs a password from the sysadmin. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_use_passwd_agent',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_use_passwd_agent'($*)) dnl - - gen_require(` - type systemd_passwd_agent_t; - type systemd_passwd_runtime_t; - ') - - manage_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t) - manage_sock_files_pattern($1, systemd_passwd_runtime_t, systemd_passwd_runtime_t) - - allow systemd_passwd_agent_t $1:process signull; - ps_process_pattern(systemd_passwd_agent_t, $1) - allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_use_passwd_agent'($*)) dnl - ') - - -######################################## -## -## Transition to systemd_passwd_runtime_t when creating dirs -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_filetrans_passwd_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_filetrans_passwd_runtime_dirs'($*)) dnl - - gen_require(` - type systemd_passwd_runtime_t; - ') - - init_pid_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password-block") - init_pid_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_filetrans_passwd_runtime_dirs'($*)) dnl - ') - - -###################################### -## -## Allow to domain to create systemd-passwd symlink -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_manage_passwd_runtime_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_manage_passwd_runtime_symlinks'($*)) dnl - - gen_require(` - type systemd_passwd_runtime_t; - ') - - allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_manage_passwd_runtime_symlinks'($*)) dnl - ') - - -######################################## -## -## manage systemd unit dirs and the files in them -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_manage_all_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_manage_all_units'($*)) dnl - - gen_require(` - attribute systemdunit; - ') - - manage_dirs_pattern($1, systemdunit, systemdunit) - manage_files_pattern($1, systemdunit, systemdunit) - manage_lnk_files_pattern($1, systemdunit, systemdunit) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_manage_all_units'($*)) dnl - ') - - -######################################## -## -## Allow domain to read systemd_journal_t files -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_read_journal_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_journal_files'($*)) dnl - - gen_require(` - type systemd_journal_t; - ') - - list_dirs_pattern($1, systemd_journal_t, systemd_journal_t) - mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_journal_files'($*)) dnl - ') - - -######################################## -## -## Allow domain to create/manage systemd_journal_t files -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_manage_journal_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_manage_journal_files'($*)) dnl - - gen_require(` - type systemd_journal_t; - ') - - manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) - manage_files_pattern($1, systemd_journal_t, systemd_journal_t) - allow $1 systemd_journal_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_manage_journal_files'($*)) dnl - ') - - -######################################## -## -## Relabel to systemd-journald directory type. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_relabelto_journal_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_relabelto_journal_dirs'($*)) dnl - - gen_require(` - type systemd_journal_t; - ') - - files_search_var($1) - allow $1 systemd_journal_t:dir relabelto_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_relabelto_journal_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to systemd-journald file type. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_relabelto_journal_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_relabelto_journal_files'($*)) dnl - - gen_require(` - type systemd_journal_t; - ') - - files_search_var($1) - list_dirs_pattern($1,systemd_journal_t,systemd_journal_t) - allow $1 systemd_journal_t:file relabelto_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_relabelto_journal_files'($*)) dnl - ') - - -######################################## -## -## Allow domain to read systemd_networkd_t unit files -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_read_networkd_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_networkd_units'($*)) dnl - - gen_require(` - type systemd_networkd_unit_t; - ') - - init_search_units($1) - list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) - read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_networkd_units'($*)) dnl - ') - - -######################################## -## -## Allow domain to create/manage systemd_networkd_t unit files -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_manage_networkd_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_manage_networkd_units'($*)) dnl - - gen_require(` - type systemd_networkd_unit_t; - ') - - init_search_units($1) - manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) - manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_manage_networkd_units'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to enable systemd-networkd units -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_enabledisable_networkd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_enabledisable_networkd'($*)) dnl - - gen_require(` - type systemd_networkd_unit_t; - class service { enable disable }; - ') - - allow $1 systemd_networkd_unit_t:service { enable disable }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_enabledisable_networkd'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to start systemd-networkd units -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_startstop_networkd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_startstop_networkd'($*)) dnl - - gen_require(` - type systemd_networkd_unit_t; - class service { start stop }; - ') - - allow $1 systemd_networkd_unit_t:service { start stop }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_startstop_networkd'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get status of systemd-networkd -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_status_networkd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_status_networkd'($*)) dnl - - gen_require(` - type systemd_networkd_unit_t; - class service status; - ') - - allow $1 systemd_networkd_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_status_networkd'($*)) dnl - ') - - -####################################### -## -## Relabel systemd_networkd tun socket. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_relabelfrom_networkd_tun_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_relabelfrom_networkd_tun_sockets'($*)) dnl - - gen_require(` - type systemd_networkd_t; - ') - - allow $1 systemd_networkd_t:tun_socket relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_relabelfrom_networkd_tun_sockets'($*)) dnl - ') - - -####################################### -## -## Read/Write from systemd_networkd netlink route socket. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_rw_networkd_netlink_route_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_rw_networkd_netlink_route_sockets'($*)) dnl - - gen_require(` - type systemd_networkd_t; - ') - - allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_rw_networkd_netlink_route_sockets'($*)) dnl - ') - - -####################################### -## -## Allow domain to list dirs under /run/systemd/netif -## -## -## -## domain permitted the access -## -## -# - define(`systemd_list_networkd_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_list_networkd_runtime'($*)) dnl - - gen_require(` - type systemd_networkd_runtime_t; - ') - - init_list_pids($1) - allow $1 systemd_networkd_runtime_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_list_networkd_runtime'($*)) dnl - ') - - -####################################### -## -## Watch directories under /run/systemd/netif -## -## -## -## Domain permitted the access -## -## -# - define(`systemd_watch_networkd_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_watch_networkd_runtime_dirs'($*)) dnl - - gen_require(` - type systemd_networkd_runtime_t; - ') - - allow $1 systemd_networkd_runtime_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_watch_networkd_runtime_dirs'($*)) dnl - ') - - -####################################### -## -## Allow domain to read files generated by systemd_networkd -## -## -## -## domain allowed access -## -## -# - - define(`systemd_read_networkd_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_networkd_runtime'($*)) dnl - - gen_require(` - type systemd_networkd_runtime_t; - ') - - list_dirs_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t) - read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_networkd_runtime'($*)) dnl - ') - - -######################################## -## -## Allow systemd_logind_t to read process state for cgroup file -## -## -## -## Domain systemd_logind_t may access. -## -## -# - define(`systemd_read_logind_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_logind_state'($*)) dnl - - gen_require(` - type systemd_logind_t; - ') - - allow systemd_logind_t $1:dir list_dir_perms; - allow systemd_logind_t $1:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_logind_state'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to start power units -## -## -## -## Domain to not audit. -## -## -# - define(`systemd_start_power_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_start_power_units'($*)) dnl - - gen_require(` - type power_unit_t; - class service start; - ') - - allow $1 power_unit_t:service start; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_start_power_units'($*)) dnl - ') - - -######################################## -## -## Get the system status information about power units -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_status_power_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_status_power_units'($*)) dnl - - gen_require(` - type power_unit_t; - class service status; - ') - - allow $1 power_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_status_power_units'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable for -## systemd tmpfiles config files. -## -## -## -## Type to be used for systemd tmpfiles config files. -## -## -# - define(`systemd_tmpfiles_conf_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_conf_file'($*)) dnl - - gen_require(` - attribute systemd_tmpfiles_conf_type; - ') - - files_config_file($1) - typeattribute $1 systemd_tmpfiles_conf_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_conf_file'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to create -## the tmpfiles config directory with -## the correct context. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_tmpfiles_creator',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_creator'($*)) dnl - - gen_require(` - type systemd_tmpfiles_conf_t; - ') - - files_pid_filetrans($1, systemd_tmpfiles_conf_t, dir, "tmpfiles.d") - allow $1 systemd_tmpfiles_conf_t:dir create; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_creator'($*)) dnl - ') - - -######################################## -## -## Create an object in the systemd tmpfiles config -## directory, with a private type -## using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`systemd_tmpfiles_conf_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_conf_filetrans'($*)) dnl - - gen_require(` - type systemd_tmpfiles_conf_t; - ') - - files_search_pids($1) - filetrans_pattern($1, systemd_tmpfiles_conf_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_conf_filetrans'($*)) dnl - ') - - -######################################## -## -## Allow domain to list systemd tmpfiles config directory -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_list_tmpfiles_conf',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_list_tmpfiles_conf'($*)) dnl - - gen_require(` - type systemd_tmpfiles_conf_t; - ') - - allow $1 systemd_tmpfiles_conf_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_list_tmpfiles_conf'($*)) dnl - ') - - -######################################## -## -## Allow domain to relabel to systemd tmpfiles config directory -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_relabelto_tmpfiles_conf_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_relabelto_tmpfiles_conf_dirs'($*)) dnl - - gen_require(` - type systemd_tmpfiles_conf_t; - ') - - allow $1 systemd_tmpfiles_conf_t:dir relabelto_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_relabelto_tmpfiles_conf_dirs'($*)) dnl - ') - - -######################################## -## -## Allow domain to relabel to systemd tmpfiles config files -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_relabelto_tmpfiles_conf_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_relabelto_tmpfiles_conf_files'($*)) dnl - - gen_require(` - attribute systemd_tmpfiles_conf_type; - ') - - allow $1 systemd_tmpfiles_conf_type:file relabelto_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_relabelto_tmpfiles_conf_files'($*)) dnl - ') - - -####################################### -## -## Allow systemd_tmpfiles_t to manage filesystem objects -## -## -## -## type of object to manage -## -## -## -## -## object class to manage -## -## -# - define(`systemd_tmpfilesd_managed',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_tmpfilesd_managed'($*)) dnl - - gen_require(` - type systemd_tmpfiles_t; - ') - - allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_tmpfilesd_managed'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## systemd resolved over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_dbus_chat_resolved',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_resolved'($*)) dnl - - gen_require(` - type systemd_resolved_t; - class dbus send_msg; - ') - - allow $1 systemd_resolved_t:dbus send_msg; - allow systemd_resolved_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_resolved'($*)) dnl - ') - - -####################################### -## -## Allow domain to read resolv.conf file generated by systemd_resolved -## -## -## -## domain allowed access -## -## -# - define(`systemd_read_resolved_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_read_resolved_runtime'($*)) dnl - - gen_require(` - type systemd_resolved_runtime_t; - ') - - read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_read_resolved_runtime'($*)) dnl - ') - - -####################################### -## -## Allow domain to getattr on .updated file (generated by systemd-update-done -## -## -## -## domain allowed access -## -## -# - define(`systemd_getattr_updated_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_getattr_updated_runtime'($*)) dnl - - gen_require(` - type systemd_update_run_t; - ') - - getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_getattr_updated_runtime'($*)) dnl - ') - - -######################################## -## -## Search keys for the all systemd --user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_search_all_user_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_search_all_user_keys'($*)) dnl - - gen_require(` - attribute systemd_user_session_type; - ') - - allow $1 systemd_user_session_type:key search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_search_all_user_keys'($*)) dnl - ') - - -######################################## -## -## Create keys for the all systemd --user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_create_all_user_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_create_all_user_keys'($*)) dnl - - gen_require(` - attribute systemd_user_session_type; - ') - - allow $1 systemd_user_session_type:key create; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_create_all_user_keys'($*)) dnl - ') - - -######################################## -## -## Write keys for the all systemd --user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`systemd_write_all_user_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `systemd_write_all_user_keys'($*)) dnl - - gen_require(` - attribute systemd_user_session_type; - ') - - allow $1 systemd_user_session_type:key write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `systemd_write_all_user_keys'($*)) dnl - ') - -## -## Freedesktop standard locations (formerly known as X Desktop Group) -## - - -######################################## -## -## Mark the selected type as an xdg_cache_type -## -## -## -## Type to give the xdg_cache_type attribute to -## -## -# - define(`xdg_cache_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_cache_content'($*)) dnl - - gen_require(` - attribute xdg_cache_type; - ') - - typeattribute $1 xdg_cache_type; - - userdom_user_home_content($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_cache_content'($*)) dnl - ') - - -######################################## -## -## Mark the selected type as an xdg_config_type -## -## -## -## Type to give the xdg_config_type attribute to -## -## -# - define(`xdg_config_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_config_content'($*)) dnl - - gen_require(` - attribute xdg_config_type; - ') - - typeattribute $1 xdg_config_type; - - userdom_user_home_content($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_config_content'($*)) dnl - ') - - -######################################## -## -## Mark the selected type as an xdg_data_type -## -## -## -## Type to give the xdg_data_type attribute to -## -## -# - define(`xdg_data_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_data_content'($*)) dnl - - gen_require(` - attribute xdg_data_type; - ') - - typeattribute $1 xdg_data_type; - - userdom_user_home_content($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_data_content'($*)) dnl - ') - - -######################################## -## -## Search through the xdg cache home directories -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_search_cache_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_search_cache_dirs'($*)) dnl - - gen_require(` - type xdg_cache_t; - ') - - search_dirs_pattern($1, xdg_cache_t, xdg_cache_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_search_cache_dirs'($*)) dnl - ') - - -######################################## -## -## Read the xdg cache home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_cache_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_cache_files'($*)) dnl - - gen_require(` - type xdg_cache_t; - ') - - read_files_pattern($1, xdg_cache_t, xdg_cache_t) - allow $1 xdg_cache_t:file map; - list_dirs_pattern($1, xdg_cache_t, xdg_cache_t) - read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_cache_files'($*)) dnl - ') - - -######################################## -## -## Read all xdg_cache_type files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_all_cache_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_all_cache_files'($*)) dnl - - gen_require(` - attribute xdg_cache_type; - ') - - read_files_pattern($1, xdg_cache_type, xdg_cache_type) - allow $1 xdg_cache_type:file map; - list_dirs_pattern($1, xdg_cache_type, xdg_cache_type) - read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_all_cache_files'($*)) dnl - ') - - -######################################## -## -## Create objects in an xdg_cache directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the file or directory created -## -## -# - define(`xdg_cache_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_cache_filetrans'($*)) dnl - - gen_require(` - type xdg_cache_t; - ') - - userdom_search_user_home_dirs($1) - - filetrans_pattern($1, xdg_cache_t, $2, $3, $4) - - xdg_create_cache_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_cache_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_cache_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_cache'($*)) dnl - - gen_require(` - type xdg_cache_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_cache_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_cache'($*)) dnl - ') - - -######################################## -## -## Create xdg cache home directories -## -## -## -## Domain allowed access -## -## -# - define(`xdg_create_cache_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_create_cache_dirs'($*)) dnl - - gen_require(` - type xdg_cache_t; - ') - - allow $1 xdg_cache_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_create_cache_dirs'($*)) dnl - ') - - -######################################## -## -## Manage the xdg cache home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_cache'($*)) dnl - - gen_require(` - type xdg_cache_t; - ') - - manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t) - manage_files_pattern($1, xdg_cache_t, xdg_cache_t) - allow $1 xdg_cache_t:file map; - manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t) - manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t) - manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_cache'($*)) dnl - ') - - -######################################## -## -## Manage all the xdg cache home files regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_all_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_all_cache'($*)) dnl - - gen_require(` - attribute xdg_cache_type; - ') - - manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type) - manage_files_pattern($1, xdg_cache_type, xdg_cache_type) - allow $1 xdg_cache_type:file map; - manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type) - manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type) - manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_all_cache'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg cache home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_cache'($*)) dnl - - gen_require(` - type xdg_cache_t; - ') - - relabel_dirs_pattern($1, xdg_cache_t, xdg_cache_t) - relabel_files_pattern($1, xdg_cache_t, xdg_cache_t) - relabel_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t) - relabel_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t) - relabel_sock_files_pattern($1, xdg_cache_t, xdg_cache_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_cache'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg cache home files, regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_all_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_all_cache'($*)) dnl - - gen_require(` - attribute xdg_cache_type; - ') - - relabel_dirs_pattern($1, xdg_cache_type, xdg_cache_type) - relabel_files_pattern($1, xdg_cache_type, xdg_cache_type) - relabel_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type) - relabel_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type) - relabel_sock_files_pattern($1, xdg_cache_type, xdg_cache_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_all_cache'($*)) dnl - ') - - -######################################## -## -## Search through the xdg config home directories -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_search_config_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_search_config_dirs'($*)) dnl - - gen_require(` - type xdg_config_t; - ') - - search_dirs_pattern($1, xdg_config_t, xdg_config_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_search_config_dirs'($*)) dnl - ') - - -######################################## -## -## Read the xdg config home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_config_files'($*)) dnl - - gen_require(` - type xdg_config_t; - ') - - read_files_pattern($1, xdg_config_t, xdg_config_t) - allow $1 xdg_config_t:file map; - list_dirs_pattern($1, xdg_config_t, xdg_config_t) - read_lnk_files_pattern($1, xdg_config_t, xdg_config_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_config_files'($*)) dnl - ') - - -######################################## -## -## Read all xdg_config_type files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_all_config_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_all_config_files'($*)) dnl - - gen_require(` - attribute xdg_config_type; - ') - - read_files_pattern($1, xdg_config_type, xdg_config_type) - allow $1 xdg_config_type:file map; - list_dirs_pattern($1, xdg_config_type, xdg_config_type) - read_lnk_files_pattern($1, xdg_config_type, xdg_config_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_all_config_files'($*)) dnl - ') - - -######################################## -## -## Create objects in an xdg_config directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the file or directory created -## -## -# - define(`xdg_config_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_config_filetrans'($*)) dnl - - gen_require(` - type xdg_config_t; - ') - - userdom_search_user_home_dirs($1) - - filetrans_pattern($1, xdg_config_t, $2, $3, $4) - - xdg_create_config_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_config_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_config_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_config'($*)) dnl - - gen_require(` - type xdg_config_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_config_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_config'($*)) dnl - ') - - -######################################## -## -## Create xdg config home directories -## -## -## -## Domain allowed access -## -## -# - define(`xdg_create_config_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_create_config_dirs'($*)) dnl - - gen_require(` - type xdg_config_t; - ') - - allow $1 xdg_config_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_create_config_dirs'($*)) dnl - ') - - -######################################## -## -## Manage the xdg config home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_config'($*)) dnl - - gen_require(` - type xdg_config_t; - ') - - manage_dirs_pattern($1, xdg_config_t, xdg_config_t) - manage_files_pattern($1, xdg_config_t, xdg_config_t) - allow $1 xdg_config_t:file map; - manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t) - manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t) - manage_sock_files_pattern($1, xdg_config_t, xdg_config_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_config'($*)) dnl - ') - - -######################################## -## -## Manage all the xdg config home files regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_all_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_all_config'($*)) dnl - - gen_require(` - attribute xdg_config_type; - ') - - manage_dirs_pattern($1, xdg_config_type, xdg_config_type) - manage_files_pattern($1, xdg_config_type, xdg_config_type) - allow $1 xdg_config_type:file map; - manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type) - manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type) - manage_sock_files_pattern($1, xdg_config_type, xdg_config_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_all_config'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg config home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_config'($*)) dnl - - gen_require(` - type xdg_config_t; - ') - - relabel_dirs_pattern($1, xdg_config_t, xdg_config_t) - relabel_files_pattern($1, xdg_config_t, xdg_config_t) - relabel_lnk_files_pattern($1, xdg_config_t, xdg_config_t) - relabel_fifo_files_pattern($1, xdg_config_t, xdg_config_t) - relabel_sock_files_pattern($1, xdg_config_t, xdg_config_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_config'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg config home files, regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_all_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_all_config'($*)) dnl - - gen_require(` - attribute xdg_config_type; - ') - - relabel_dirs_pattern($1, xdg_config_type, xdg_config_type) - relabel_files_pattern($1, xdg_config_type, xdg_config_type) - relabel_lnk_files_pattern($1, xdg_config_type, xdg_config_type) - relabel_fifo_files_pattern($1, xdg_config_type, xdg_config_type) - relabel_sock_files_pattern($1, xdg_config_type, xdg_config_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_all_config'($*)) dnl - ') - - -######################################## -## -## Read the xdg data home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_data_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_data_files'($*)) dnl - - gen_require(` - type xdg_data_t; - ') - - read_files_pattern($1, xdg_data_t, xdg_data_t) - allow $1 xdg_data_t:file map; - list_dirs_pattern($1, xdg_data_t, xdg_data_t) - read_lnk_files_pattern($1, xdg_data_t, xdg_data_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_data_files'($*)) dnl - ') - - -######################################## -## -## Read all xdg_data_type files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_all_data_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_all_data_files'($*)) dnl - - gen_require(` - attribute xdg_data_type; - ') - - read_files_pattern($1, xdg_data_type, xdg_data_type) - allow $1 xdg_data_type:file map; - list_dirs_pattern($1, xdg_data_type, xdg_data_type) - read_lnk_files_pattern($1, xdg_data_type, xdg_data_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_all_data_files'($*)) dnl - ') - - -######################################## -## -## Create objects in an xdg_data directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Optional name of the file or directory created -## -## -# - define(`xdg_data_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_data_filetrans'($*)) dnl - - gen_require(` - type xdg_data_t; - ') - - userdom_search_user_home_dirs($1) - - filetrans_pattern($1, xdg_data_t, $2, $3, $4) - - xdg_create_data_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_data_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_data_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_data'($*)) dnl - - gen_require(` - type xdg_data_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_data_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_data'($*)) dnl - ') - - -######################################## -## -## Create xdg data home directories -## -## -## -## Domain allowed access -## -## -# - define(`xdg_create_data_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_create_data_dirs'($*)) dnl - - gen_require(` - type xdg_data_t; - ') - - allow $1 xdg_data_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_create_data_dirs'($*)) dnl - ') - - -######################################## -## -## Manage the xdg data home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_data'($*)) dnl - - gen_require(` - type xdg_data_t; - ') - - manage_dirs_pattern($1, xdg_data_t, xdg_data_t) - manage_files_pattern($1, xdg_data_t, xdg_data_t) - allow $1 xdg_data_t:file map; - manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t) - manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t) - manage_sock_files_pattern($1, xdg_data_t, xdg_data_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_data'($*)) dnl - ') - - -######################################## -## -## Manage all the xdg data home files, regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_all_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_all_data'($*)) dnl - - gen_require(` - attribute xdg_data_type; - ') - - manage_dirs_pattern($1, xdg_data_type, xdg_data_type) - manage_files_pattern($1, xdg_data_type, xdg_data_type) - allow $1 xdg_data_type:file map; - manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type) - manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type) - manage_sock_files_pattern($1, xdg_data_type, xdg_data_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_all_data'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg data home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_data'($*)) dnl - - gen_require(` - type xdg_data_t; - ') - - relabel_dirs_pattern($1, xdg_data_t, xdg_data_t) - relabel_files_pattern($1, xdg_data_t, xdg_data_t) - relabel_lnk_files_pattern($1, xdg_data_t, xdg_data_t) - relabel_fifo_files_pattern($1, xdg_data_t, xdg_data_t) - relabel_sock_files_pattern($1, xdg_data_t, xdg_data_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_data'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg data home files, regardless of their type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_all_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_all_data'($*)) dnl - - gen_require(` - attribute xdg_data_type; - ') - - relabel_dirs_pattern($1, xdg_data_type, xdg_data_type) - relabel_files_pattern($1, xdg_data_type, xdg_data_type) - relabel_lnk_files_pattern($1, xdg_data_type, xdg_data_type) - relabel_fifo_files_pattern($1, xdg_data_type, xdg_data_type) - relabel_sock_files_pattern($1, xdg_data_type, xdg_data_type) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_all_data'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_documents_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_documents',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_documents'($*)) dnl - - gen_require(` - type xdg_documents_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_documents_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_documents'($*)) dnl - ') - - -######################################### -## -## Manage documents content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_documents',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_documents'($*)) dnl - - gen_require(` - type xdg_documents_t; - ') - - manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t) - manage_files_pattern($1, xdg_documents_t, xdg_documents_t) - allow $1 xdg_documents_t:file map; - manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_documents'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the documents resources -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_documents',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_documents'($*)) dnl - - gen_require(` - type xdg_documents_t; - ') - - relabel_dirs_pattern($1, xdg_documents_t, xdg_documents_t) - relabel_files_pattern($1, xdg_documents_t, xdg_documents_t) - relabel_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_documents'($*)) dnl - ') - - -######################################### -## -## Read downloaded content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_read_downloads',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_downloads'($*)) dnl - - gen_require(` - type xdg_downloads_t; - ') - - read_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - allow $1 xdg_downloads_t:file map; - list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) - read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_downloads'($*)) dnl - ') - - -######################################### -## -## Create downloaded content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_create_downloads',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_create_downloads'($*)) dnl - - gen_require(` - type xdg_downloads_t; - ') - - create_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - allow $1 xdg_downloads_t:file map; - create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) - create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_create_downloads'($*)) dnl - ') - - -######################################### -## -## Write downloaded content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_write_downloads',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_write_downloads'($*)) dnl - - gen_require(` - type xdg_downloads_t; - ') - - write_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - allow $1 xdg_downloads_t:file map; - list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) - read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_write_downloads'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_downloads_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_downloads',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_downloads'($*)) dnl - - gen_require(` - type xdg_downloads_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_downloads_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_downloads'($*)) dnl - ') - - -######################################### -## -## Manage downloaded content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_downloads',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_downloads'($*)) dnl - - gen_require(` - type xdg_downloads_t; - ') - - manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) - manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - allow $1 xdg_downloads_t:file map; - manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_downloads'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the downloads resources -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_downloads',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_downloads'($*)) dnl - - gen_require(` - type xdg_downloads_t; - ') - - relabel_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t) - relabel_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - relabel_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_downloads'($*)) dnl - ') - - -######################################### -## -## Read user pictures content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_read_pictures',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_pictures'($*)) dnl - - gen_require(` - type xdg_pictures_t; - ') - - read_files_pattern($1, xdg_pictures_t, xdg_pictures_t) - allow $1 xdg_pictures_t:file map; - list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) - read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_pictures'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_pictures_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_pictures',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_pictures'($*)) dnl - - gen_require(` - type xdg_pictures_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_pictures_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_pictures'($*)) dnl - ') - - -######################################### -## -## Manage pictures content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_pictures',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_pictures'($*)) dnl - - gen_require(` - type xdg_pictures_t; - ') - - manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) - manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t) - allow $1 xdg_pictures_t:file map; - manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_pictures'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the pictures resources -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_pictures',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_pictures'($*)) dnl - - gen_require(` - type xdg_pictures_t; - ') - - relabel_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t) - relabel_files_pattern($1, xdg_pictures_t, xdg_pictures_t) - relabel_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_pictures'($*)) dnl - ') - - -######################################### -## -## Read user music content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_read_music',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_music'($*)) dnl - - gen_require(` - type xdg_music_t; - ') - - read_files_pattern($1, xdg_music_t, xdg_music_t) - allow $1 xdg_music_t:file map; - list_dirs_pattern($1, xdg_music_t, xdg_music_t) - read_lnk_files_pattern($1, xdg_music_t, xdg_music_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_music'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_pictures_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_music',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_music'($*)) dnl - - gen_require(` - type xdg_music_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_music_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_music'($*)) dnl - ') - - -######################################### -## -## Manage music content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_music',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_music'($*)) dnl - - gen_require(` - type xdg_music_t; - ') - - manage_dirs_pattern($1, xdg_music_t, xdg_music_t) - manage_files_pattern($1, xdg_music_t, xdg_music_t) - allow $1 xdg_music_t:file map; - manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_music'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the music resources -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_music',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_music'($*)) dnl - - gen_require(` - type xdg_music_t; - ') - - relabel_dirs_pattern($1, xdg_music_t, xdg_music_t) - relabel_files_pattern($1, xdg_music_t, xdg_music_t) - relabel_lnk_files_pattern($1, xdg_music_t, xdg_music_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_music'($*)) dnl - ') - - -######################################### -## -## Read user video content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_read_videos',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_videos'($*)) dnl - - gen_require(` - type xdg_videos_t; - ') - - read_files_pattern($1, xdg_videos_t, xdg_videos_t) - allow $1 xdg_videos_t:file map; - list_dirs_pattern($1, xdg_videos_t, xdg_videos_t) - read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_videos'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_videos_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_videos',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_videos'($*)) dnl - - gen_require(` - type xdg_videos_t; - ') - - userdom_user_home_dir_filetrans($1, xdg_videos_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_videos'($*)) dnl - ') - - -######################################### -## -## Manage video content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_videos',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_videos'($*)) dnl - - gen_require(` - type xdg_videos_t; - ') - - manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t) - manage_files_pattern($1, xdg_videos_t, xdg_videos_t) - allow $1 xdg_videos_t:file map; - manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_videos'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the videos resources -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_videos',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_videos'($*)) dnl - - gen_require(` - type xdg_videos_t; - ') - - relabel_dirs_pattern($1, xdg_videos_t, xdg_videos_t) - relabel_files_pattern($1, xdg_videos_t, xdg_videos_t) - relabel_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t) - - userdom_search_user_home_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_videos'($*)) dnl - ') - - - -# Gentoo specific under here -# Compat interfaces for old names that were upstreamed - -######################################## -## -## Mark the selected type as an xdg_cache_home_type -## -## -## -## Type to give the xdg_cache_home_type attribute to -## -## -# - define(`xdg_cache_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_cache_home_content'($*)) dnl - - xdg_cache_content($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_cache_home_content'($*)) dnl - ') - - -######################################## -## -## Mark the selected type as an xdg_config_home_type -## -## -## -## Type to give the xdg_config_home_type attribute to -## -## -# - define(`xdg_config_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_config_home_content'($*)) dnl - - xdg_config_content($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_config_home_content'($*)) dnl - ') - - -######################################## -## -## Mark the selected type as an xdg_data_home_type -## -## -## -## Type to give the xdg_data_home_type attribute to -## -## -# - define(`xdg_data_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_data_home_content'($*)) dnl - - xdg_data_content($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_data_home_content'($*)) dnl - ') - - -######################################## -## -## Read the xdg cache home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_cache_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_cache_home_files'($*)) dnl - - xdg_read_cache_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_cache_home_files'($*)) dnl - ') - - -######################################## -## -## Read all xdg_cache_home_type files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_all_cache_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_all_cache_home_files'($*)) dnl - - xdg_read_all_cache_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_all_cache_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in an xdg_cache_home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the file or directory created -## -## -# - define(`xdg_cache_home_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_cache_home_filetrans'($*)) dnl - - xdg_cache_filetrans($1, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_cache_home_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_cache_home_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_cache_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_cache_home'($*)) dnl - - xdg_generic_user_home_dir_filetrans_cache($1, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_cache_home'($*)) dnl - ') - - -######################################## -## -## Create xdg cache home directories -## -## -## -## Domain allowed access -## -## -# - define(`xdg_create_cache_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_create_cache_home_dirs'($*)) dnl - - xdg_create_cache_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_create_cache_home_dirs'($*)) dnl - ') - - -######################################## -## -## Manage the xdg cache home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_cache_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_cache_home'($*)) dnl - - xdg_manage_cache($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_cache_home'($*)) dnl - ') - - -######################################## -## -## Manage all the xdg cache home files regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_all_cache_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_all_cache_home'($*)) dnl - - xdg_manage_all_cache($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_all_cache_home'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg cache home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_cache_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_cache_home'($*)) dnl - - xdg_relabel_cache($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_cache_home'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg cache home files, regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_all_cache_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_all_cache_home'($*)) dnl - - xdg_relabel_all_cache($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_all_cache_home'($*)) dnl - ') - - -######################################## -## -## Search through the xdg config home directories -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_search_config_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_search_config_home_dirs'($*)) dnl - - xdg_search_config_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_search_config_home_dirs'($*)) dnl - ') - - -######################################## -## -## Read the xdg config home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_config_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_config_home_files'($*)) dnl - - xdg_read_config_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_config_home_files'($*)) dnl - ') - - -######################################## -## -## Read all xdg_config_home_type files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_all_config_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_all_config_home_files'($*)) dnl - - xdg_read_all_config_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_all_config_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in an xdg_config_home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the file or directory created -## -## -# - define(`xdg_config_home_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_config_home_filetrans'($*)) dnl - - xdg_config_filetrans($1, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_config_home_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_config_home_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_config_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_config_home'($*)) dnl - - xdg_generic_user_home_dir_filetrans_config($1, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_config_home'($*)) dnl - ') - - -######################################## -## -## Create xdg config home directories -## -## -## -## Domain allowed access -## -## -# - define(`xdg_create_config_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_create_config_home_dirs'($*)) dnl - - xdg_create_config_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_create_config_home_dirs'($*)) dnl - ') - - -######################################## -## -## Manage the xdg config home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_config_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_config_home'($*)) dnl - - xdg_manage_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_config_home'($*)) dnl - ') - - -######################################## -## -## Manage all the xdg config home files regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_all_config_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_all_config_home'($*)) dnl - - xdg_manage_all_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_all_config_home'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg config home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_config_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_config_home'($*)) dnl - - xdg_relabel_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_config_home'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg config home files, regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_all_config_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_all_config_home'($*)) dnl - - xdg_relabel_all_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_all_config_home'($*)) dnl - ') - - -######################################## -## -## Read the xdg data home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_data_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_data_home_files'($*)) dnl - - xdg_read_data_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_data_home_files'($*)) dnl - ') - - -######################################## -## -## Read all xdg_data_home_type files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_read_all_data_home_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_all_data_home_files'($*)) dnl - - xdg_read_all_data_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_all_data_home_files'($*)) dnl - ') - - -######################################## -## -## Create objects in an xdg_data_home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Optional name of the file or directory created -## -## -# - define(`xdg_data_home_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_data_home_filetrans'($*)) dnl - - xdg_data_filetrans($1, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_data_home_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in the user home dir with an automatic type transition to -## the xdg_data_home_t type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## Name of the directory created -## -## -# - define(`xdg_generic_user_home_dir_filetrans_data_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_generic_user_home_dir_filetrans_data_home'($*)) dnl - - xdg_generic_user_home_dir_filetrans_data($1, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_generic_user_home_dir_filetrans_data_home'($*)) dnl - ') - - -######################################## -## -## Create xdg data home directories -## -## -## -## Domain allowed access -## -## -# - define(`xdg_create_data_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_create_data_home_dirs'($*)) dnl - - xdg_create_data_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_create_data_home_dirs'($*)) dnl - ') - - -######################################## -## -## Manage the xdg data home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_data_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_data_home'($*)) dnl - - xdg_manage_data($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_data_home'($*)) dnl - ') - - -######################################## -## -## Manage all the xdg data home files, regardless of their specific type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_manage_all_data_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_all_data_home'($*)) dnl - - xdg_manage_all_data($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_all_data_home'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg data home files -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_data_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_data_home'($*)) dnl - - xdg_relabel_data($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_data_home'($*)) dnl - ') - - -######################################## -## -## Allow relabeling the xdg data home files, regardless of their type -## -## -## -## Domain allowed access. -## -## -# - define(`xdg_relabel_all_data_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_relabel_all_data_home'($*)) dnl - - xdg_relabel_all_data($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_relabel_all_data_home'($*)) dnl - ') - - -######################################### -## -## Read downloaded content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_read_downloads_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_downloads_home'($*)) dnl - - xdg_read_downloads($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_downloads_home'($*)) dnl - ') - - -######################################### -## -## Read user video content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_read_videos_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_videos_home'($*)) dnl - - xdg_read_videos($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_videos_home'($*)) dnl - ') - - -######################################### -## -## Read user pictures content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_read_pictures_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_pictures_home'($*)) dnl - - xdg_read_pictures($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_pictures_home'($*)) dnl - ') - - -######################################### -## -## Read user music content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_read_music_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_read_music_home'($*)) dnl - - xdg_read_music($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_read_music_home'($*)) dnl - ') - - -######################################### -## -## Create downloaded content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_create_downloads_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_create_downloads_home'($*)) dnl - - xdg_create_downloads($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_create_downloads_home'($*)) dnl - ') - - -######################################### -## -## Write downloaded content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_write_downloads_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_write_downloads_home'($*)) dnl - - xdg_write_downloads($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_write_downloads_home'($*)) dnl - ') - - -######################################### -## -## Manage downloaded content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_downloads_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_downloads_home'($*)) dnl - - xdg_manage_downloads($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_downloads_home'($*)) dnl - ') - - -######################################### -## -## Manage documents content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_documents_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_documents_home'($*)) dnl - - xdg_manage_documents($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_documents_home'($*)) dnl - ') - - -######################################### -## -## Manage music content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_music_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_music_home'($*)) dnl - - xdg_manage_music($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_music_home'($*)) dnl - ') - - -######################################### -## -## Manage pictures content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_pictures_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_pictures_home'($*)) dnl - - xdg_manage_pictures($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_pictures_home'($*)) dnl - ') - - -######################################### -## -## Manage video content -## -## -## -## Domain allowed access -## -## -# - define(`xdg_manage_videos_home',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xdg_manage_videos_home'($*)) dnl - - xdg_manage_videos($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xdg_manage_videos_home'($*)) dnl - ') - -## Policy for mount. - -######################################## -## -## Execute mount in the mount domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mount_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_domtrans'($*)) dnl - - gen_require(` - type mount_t, mount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mount_exec_t, mount_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute mount in the mount domain, and -## allow the specified role the mount domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mount_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_run'($*)) dnl - - gen_require(` - attribute_role mount_roles; - ') - - mount_domtrans($1) - roleattribute $2 mount_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_run'($*)) dnl - ') - - -######################################## -## -## Execute mount in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`mount_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_exec'($*)) dnl - - gen_require(` - type mount_exec_t; - ') - - # cjp: this should be removed: - allow $1 mount_exec_t:dir list_dir_perms; - - allow $1 mount_exec_t:lnk_file read_lnk_file_perms; - corecmd_search_bin($1) - can_exec($1, mount_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_exec'($*)) dnl - ') - - -######################################## -## -## Send a generic signal to mount. -## -## -## -## Domain allowed access. -## -## -# - define(`mount_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_signal'($*)) dnl - - gen_require(` - type mount_t; - ') - - allow $1 mount_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_signal'($*)) dnl - ') - - -######################################## -## -## Use file descriptors for mount. -## -## -## -## The type of the process performing this action. -## -## -# - define(`mount_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_use_fds'($*)) dnl - - gen_require(` - type mount_t; - ') - - allow $1 mount_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_use_fds'($*)) dnl - ') - - -######################################## -## -## Execute mount in the unconfined mount domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`mount_domtrans_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_domtrans_unconfined'($*)) dnl - - gen_require(` - type unconfined_mount_t, mount_exec_t; - ') - - domtrans_pattern($1, mount_exec_t, unconfined_mount_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_domtrans_unconfined'($*)) dnl - ') - - -######################################## -## -## Execute mount in the unconfined mount domain, and -## allow the specified role the unconfined mount domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`mount_run_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_run_unconfined'($*)) dnl - - gen_require(` - type unconfined_mount_t; - ') - - mount_domtrans_unconfined($1) - role $2 types unconfined_mount_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_run_unconfined'($*)) dnl - ') - - -######################################## -## -## Read loopback filesystem image files. -## -## -## -## Domain allowed access. -## -## -# - define(`mount_read_loopback_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_read_loopback_files'($*)) dnl - - gen_require(` - type mount_loopback_t; - ') - - allow $1 mount_loopback_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_read_loopback_files'($*)) dnl - ') - - -######################################## -## -## Read and write loopback filesystem image files. -## -## -## -## Domain allowed access. -## -## -# - define(`mount_rw_loopback_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_rw_loopback_files'($*)) dnl - - gen_require(` - type mount_loopback_t; - ') - - allow $1 mount_loopback_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_rw_loopback_files'($*)) dnl - ') - - -######################################## -## -## List mount runtime files. -## -## -## -## Domain allowed access. -## -## -# - define(`mount_list_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_list_runtime'($*)) dnl - - gen_require(` - type mount_runtime_t; - ') - - allow $1 mount_runtime_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_list_runtime'($*)) dnl - ') - - -######################################## -## -## Watch mount runtime dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`mount_watch_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_watch_runtime_dirs'($*)) dnl - - gen_require(` - type mount_runtime_t; - ') - - allow $1 mount_runtime_t:dir watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_watch_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Getattr on mount_runtime_t files -## -## -## -## Domain allowed access. -## -## -# - define(`mount_getattr_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_getattr_runtime_files'($*)) dnl - - gen_require(` - type mount_runtime_t; - ') - - allow $1 mount_runtime_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_getattr_runtime_files'($*)) dnl - ') - - -######################################## -## -## Read and write mount runtime files. -## -## -## -## Domain allowed access. -## -## -# - define(`mount_rw_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_rw_runtime_files'($*)) dnl - - gen_require(` - type mount_runtime_t; - ') - - rw_files_pattern($1, mount_runtime_t, mount_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_rw_runtime_files'($*)) dnl - ') - - -# gentoo specific under here - -######################################## -## -## Read and write mount unnamed pipes -## -## -## -## Domain allowed access. -## -## -# - define(`mount_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `mount_rw_pipes'($*)) dnl - - gen_require(` - type mount_t; - ') - - allow $1 mount_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `mount_rw_pipes'($*)) dnl - ') - -## System initialization programs (init and init scripts). - -###################################### -## -## Make the specified type usable as a mountpoint. -## -## -## Make the specified type usable as a mountpoint. -## This is normally used for systemd BindPaths options. -## -## -## -## Type to be used as a mountpoint. -## -## -# - define(`init_mountpoint',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_mountpoint'($*)) dnl - - gen_require(` - attribute init_mountpoint_type; - ') - - typeattribute $1 init_mountpoint_type; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_mountpoint'($*)) dnl - ') - - -######################################## -## -## Create a file type monitored by a systemd path unit. -## -## -## -## Type to be used for a path unit monitored location. -## -## -# - define(`init_path_unit_location_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_path_unit_location_file'($*)) dnl - - gen_require(` - attribute init_path_unit_loc_type; - ') - - typeattribute $1 init_path_unit_loc_type; - files_type($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_path_unit_location_file'($*)) dnl - ') - - -######################################## -## -## Create a file type used for init scripts. -## -## -##

-## Create a file type used for init scripts. It can not be -## used in conjunction with init_script_domain(). These -## script files are typically stored in the /etc/init.d directory. -##

-##

-## Typically this is used to constrain what services an -## admin can start/stop. For example, a policy writer may want -## to constrain a web administrator to only being able to -## restart the web server, not other services. This special type -## will help address that goal. -##

-##

-## This also makes the type usable for files; thus an -## explicit call to files_type() is redundant. -##

-## -## -## -## Type to be used for a script file. -## -## -## -# - define(`init_script_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_script_file'($*)) dnl - - gen_require(` - type initrc_t; - attribute init_script_file_type, init_run_all_scripts_domain; - ') - - typeattribute $1 init_script_file_type; - - domain_entry_file(initrc_t, $1) - - domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_script_file'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable for -## systemd unit files. -## -## -## -## Type to be used for systemd unit files. -## -## -# - define(`init_unit_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_unit_file'($*)) dnl - - gen_require(` - attribute systemdunit; - ') - - files_type($1) - typeattribute $1 systemdunit; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_unit_file'($*)) dnl - ') - - -######################################## -## -## Create a domain used for init scripts. -## -## -##

-## Create a domain used for init scripts. -## Can not be used in conjunction with -## init_script_file(). -##

-## -## -## -## Type to be used as an init script domain. -## -## -## -## -## Type of the script file used as an entry point to this domain. -## -## -# - define(`init_script_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_script_domain'($*)) dnl - - gen_require(` - attribute init_script_domain_type, init_script_file_type; - attribute init_run_all_scripts_domain; - ') - - typeattribute $1 init_script_domain_type; - typeattribute $2 init_script_file_type; - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(init_run_all_scripts_domain, $2, $1) - - ifdef(`init_systemd',` - gen_require(` - type init_t; - ') - - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; - - allow init_t $1:process2 { nnp_transition nosuid_transition }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_script_domain'($*)) dnl - ') - - -######################################## -## -## Create a domain which can be started by init. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# - define(`init_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_domain'($*)) dnl - - gen_require(` - type init_t; - role system_r; - ') - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(init_t, $2, $1) - - allow init_t $1:process rlimitinh; - - ifdef(`init_systemd',` - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; - - allow init_t $1:process2 { nnp_transition nosuid_transition }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_domain'($*)) dnl - ') - - -######################################## -## -## Create a domain which can be started by init, -## with a range transition. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -## -## Range for the domain. -## -## -# - define(`init_ranged_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_ranged_domain'($*)) dnl - - gen_require(` - type init_t; - ') - - init_domain($1, $2) - - ifdef(`enable_mcs',` - range_transition init_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition init_t $2:process $3; - mls_rangetrans_target($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_ranged_domain'($*)) dnl - ') - - -######################################## -## -## Setup a domain which can be manually transitioned to from init. -## -## -##

-## Create a domain used for systemd services where the SELinuxContext -## option is specified in the .service file. This allows for the -## manual transition from systemd into the new domain. This is used -## when automatic transitions won't work. Used for the case where the -## same binary is used for multiple target domains. -##

-## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program being executed when starting this domain. -## -## -# - define(`init_spec_daemon_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_spec_daemon_domain'($*)) dnl - - gen_require(` - type init_t; - role system_r; - attribute daemon; - ') - - typeattribute $1 daemon; - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - spec_domtrans_pattern(init_t, $2, $1) - - allow init_t $1:process rlimitinh; - - ifdef(`init_systemd',` - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; - - allow init_t $1:process2 { nnp_transition nosuid_transition }; - ') - - # daemons started from init will - # inherit fds from init for the console - init_dontaudit_use_fds($1) - term_dontaudit_use_console($1) - - # init script ptys are the stdin/out/err - # when using run_init - init_use_script_ptys($1) - - ifdef(`direct_sysadm_daemon',` - userdom_dontaudit_use_user_terminals($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_spec_daemon_domain'($*)) dnl - ') - - -######################################## -## -## Create a domain for long running processes -## (daemons/services) which are started by init scripts. -## -## -##

-## Create a domain for long running processes (daemons/services) -## which are started by init scripts. Short running processes -## should use the init_system_domain() interface instead. -## Typically all long running processes started by an init -## script (usually in /etc/init.d) will need to use this -## interface. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##

-## If the process must also run in a specific MLS/MCS level, -## the init_ranged_daemon_domain() should be used instead. -##

-## -## -## -## Type to be used as a daemon domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -# - define(`init_daemon_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_daemon_domain'($*)) dnl - - gen_require(` - type init_t, initrc_t; - role system_r; - attribute daemon; - ') - - typeattribute $1 daemon; - - domain_type($1) - domain_entry_file($1, $2) - - role system_r types $1; - - domtrans_pattern(initrc_t, $2, $1) - - # daemons started from init will - # inherit fds from init for the console - init_dontaudit_use_fds($1) - term_dontaudit_use_console($1) - - # init script ptys are the stdin/out/err - # when using run_init - init_use_script_ptys($1) - - allow init_t $1:process rlimitinh; - - ifdef(`direct_sysadm_daemon',` - userdom_dontaudit_use_user_terminals($1) - ') - - ifdef(`init_systemd',` - init_domain($1, $2) - - allow $1 init_t:unix_dgram_socket sendto; - ') - - optional_policy(` - nscd_use($1) - ') - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_daemon_domain'($*)) dnl - ') - - -######################################## -## -## Create a domain for long running processes -## (daemons/services) which are started by init scripts, -## running at a specified MLS/MCS range. -## -## -##

-## Create a domain for long running processes (daemons/services) -## which are started by init scripts, running at a specified -## MLS/MCS range. Short running processes -## should use the init_ranged_system_domain() interface instead. -## Typically all long running processes started by an init -## script (usually in /etc/init.d) will need to use this -## interface if they need to run in a specific MLS/MCS range. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##

-## If the policy build option TYPE is standard (MLS and MCS disabled), -## this interface has the same behavior as init_daemon_domain(). -##

-## -## -## -## Type to be used as a daemon domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -## -## MLS/MCS range for the domain. -## -## -## -# - define(`init_ranged_daemon_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_ranged_daemon_domain'($*)) dnl - - gen_require(` - type initrc_t; - ') - - ifdef(`init_systemd',` - init_ranged_domain($1, $2, $3) - ',` - init_daemon_domain($1, $2) - - ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; - mls_rangetrans_target($1) - ') - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_ranged_daemon_domain'($*)) dnl - ') - - -######################################### -## -## Abstract socket service activation (systemd). -## -## -## -## The domain to be started by systemd socket activation. -## -## -# - define(`init_abstract_socket_activation',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_abstract_socket_activation'($*)) dnl - - ifdef(`init_systemd',` - gen_require(` - type init_t; - ') - - allow init_t $1:unix_stream_socket create_stream_socket_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_abstract_socket_activation'($*)) dnl - ') - - -######################################### -## -## Named socket service activation (systemd). -## -## -## -## The domain to be started by systemd socket activation. -## -## -## -## -## The domain socket file type. -## -## -# - define(`init_named_socket_activation',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_named_socket_activation'($*)) dnl - - ifdef(`init_systemd',` - gen_require(` - type init_t; - ') - - allow init_t $1:unix_dgram_socket create_socket_perms; - allow init_t $1:unix_stream_socket create_stream_socket_perms; - allow init_t $2:dir manage_dir_perms; - allow init_t $2:fifo_file manage_fifo_file_perms; - allow init_t $2:sock_file manage_sock_file_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_named_socket_activation'($*)) dnl - ') - - -######################################## -## -## Create a domain for short running processes -## which are started by init scripts. -## -## -##

-## Create a domain for short running processes -## which are started by init scripts. These are generally applications that -## are used to initialize the system during boot. -## Long running processes, such as daemons/services -## should use the init_daemon_domain() interface instead. -## Typically all short running processes started by an init -## script (usually in /etc/init.d) will need to use this -## interface. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##

-## If the process must also run in a specific MLS/MCS level, -## the init_ranged_system_domain() should be used instead. -##

-## -## -## -## Type to be used as a system domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -# - define(`init_system_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_system_domain'($*)) dnl - - gen_require(` - type initrc_t; - role system_r; - attribute systemprocess; - ') - - typeattribute $1 systemprocess; - application_domain($1, $2) - - role system_r types $1; - - domtrans_pattern(initrc_t, $2, $1) - - ifdef(`init_systemd',` - init_domain($1, $2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_system_domain'($*)) dnl - ') - - -######################################## -## -## Create a domain for short running processes -## which are started by init scripts. -## -## -##

-## Create a domain for long running processes (daemons/services) -## which are started by init scripts. -## These are generally applications that -## are used to initialize the system during boot. -## Long running processes -## should use the init_ranged_system_domain() interface instead. -## Typically all short running processes started by an init -## script (usually in /etc/init.d) will need to use this -## interface if they need to run in a specific MLS/MCS range. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-##

-## If the policy build option TYPE is standard (MLS and MCS disabled), -## this interface has the same behavior as init_system_domain(). -##

-## -## -## -## Type to be used as a system domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -## -## Range for the domain. -## -## -## -# - define(`init_ranged_system_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_ranged_system_domain'($*)) dnl - - gen_require(` - type initrc_t; - ') - - ifdef(`init_systemd',` - init_ranged_domain($1, $2, $3) - ',` - init_system_domain($1, $2) - - ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; - mls_rangetrans_target($1) - ') - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_ranged_system_domain'($*)) dnl - ') - - -###################################### -## -## Allow domain dyntransition to init_t domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`init_dyntrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dyntrans'($*)) dnl - - gen_require(` - type init_t; - ') - - dyntrans_pattern($1, init_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dyntrans'($*)) dnl - ') - - -######################################## -## -## Mark the file type as a daemon pid file, allowing initrc_t -## to create it -## -## -## -## Type to mark as a daemon pid file -## -## -## -## -## Class on which the type is applied -## -## -## -## -## Filename of the file that the init script creates -## -## -# - define(`init_daemon_pid_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_daemon_pid_file'($*)) dnl - - gen_require(` - attribute daemonpidfile; - type initrc_t; - ') - - typeattribute $1 daemonpidfile; - - files_pid_file($1) - files_pid_filetrans(initrc_t, $1, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_daemon_pid_file'($*)) dnl - ') - - -######################################## -## -## Mark the file type as a daemon lock file, allowing initrc_t -## to create it -## -## -## -## Type to mark as a daemon lock file -## -## -## -## -## Class on which the type is applied -## -## -## -## -## Filename of the file that the init script creates -## -## -# - define(`init_daemon_lock_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_daemon_lock_file'($*)) dnl - - gen_require(` - type initrc_t; - ') - - files_lock_file($1) - files_lock_filetrans(initrc_t, $1, $2, $3) - - allow initrc_t $1:dir manage_dir_perms; - allow initrc_t $1:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_daemon_lock_file'($*)) dnl - ') - - -######################################## -## -## Execute init (/sbin/init) with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`init_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_domtrans'($*)) dnl - - gen_require(` - type init_t, init_exec_t; - ') - - domtrans_pattern($1, init_exec_t, init_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute init (/sbin/init) with a domain transition -## to the provided domain. -## -## -## Execute init (/sbin/init) with a domain transition -## to the provided domain. This is used by systemd -## to execute the systemd user session. -## -## -## -## The type to be used as a systemd --user domain. -## -## -# - define(`init_pgm_spec_user_daemon_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_pgm_spec_user_daemon_domain'($*)) dnl - - gen_require(` - type init_t, init_exec_t; - ') - - domain_type($1) - domain_entry_file($1, init_exec_t) - - spec_domtrans_pattern(init_t, init_exec_t, $1) - - allow init_t $1:process { setsched rlimitinh noatsecure }; - - ifdef(`init_systemd',` - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_pgm_spec_user_daemon_domain'($*)) dnl - ') - - -######################################## -## -## Execute the init program in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`init_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_exec'($*)) dnl - - gen_require(` - type init_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, init_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_exec'($*)) dnl - ') - - -######################################## -## -## Allow the init program to be an entrypoint -## for the specified domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`init_pgm_entrypoint',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_pgm_entrypoint'($*)) dnl - - gen_require(` - type init_exec_t; - ') - - allow $1 init_exec_t:file entrypoint; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_pgm_entrypoint'($*)) dnl - ') - - -######################################## -## -## Execute the rc application in the caller domain. -## -## -##

-## This is only applicable to Gentoo or distributions that use the OpenRC -## init system. -##

-##

-## The OpenRC /sbin/rc binary is used for both init scripts as well as -## management applications and tools. When used for management purposes, -## calling /sbin/rc should never cause a transition to initrc_t. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`init_exec_rc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_exec_rc'($*)) dnl - - gen_require(` - type rc_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_exec_rc'($*)) dnl - ') - - -######################################## -## -## Get the process group of init. -## -## -## -## Domain allowed access. -## -## -# - define(`init_getpgid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getpgid'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:process getpgid; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getpgid'($*)) dnl - ') - - -######################################## -## -## Send init a generic signal. -## -## -## -## Domain allowed access. -## -## -# - define(`init_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_signal'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_signal'($*)) dnl - ') - - -######################################## -## -## Send init a null signal. -## -## -## -## Domain allowed access. -## -## -# - define(`init_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_signull'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_signull'($*)) dnl - ') - - -######################################## -## -## Send init a SIGCHLD signal. -## -## -## -## Domain allowed access. -## -## -# - define(`init_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_sigchld'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_sigchld'($*)) dnl - ') - - -######################################## -## -## Connect to init with a unix socket. -## -## -## -## Domain allowed access. -## -## -# - define(`init_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_stream_connect'($*)) dnl - - gen_require(` - type init_t, init_runtime_t; - ') - - stream_connect_pattern($1, init_runtime_t, init_runtime_t, init_t) - files_search_pids($1) - allow $1 init_t:unix_stream_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_stream_connect'($*)) dnl - ') - - -######################################## -## -## Inherit and use file descriptors from init. -## -## -##

-## Allow the specified domain to inherit file -## descriptors from the init program (process ID 1). -## Typically the only file descriptors to be -## inherited from init are for the console. -## This does not allow the domain any access to -## the object to which the file descriptors references. -##

-##

-## Related interfaces: -##

-##
    -##
  • init_dontaudit_use_fds()
    • -##
  • term_dontaudit_use_console()
    • -##
  • term_use_console()
    • -##
-##

-## Example usage: -##

-##

-## init_use_fds(mydomain_t) -## term_use_console(mydomain_t) -##

-##

-## Normally, processes that can inherit these file -## descriptors (usually services) write messages to the -## system log instead of writing to the console. -## Therefore, in many cases, this access should -## dontaudited instead. -##

-##

-## Example dontaudit usage: -##

-##

-## init_dontaudit_use_fds(mydomain_t) -## term_dontaudit_use_console(mydomain_t) -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`init_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_use_fds'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit file -## descriptors from init. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_fds'($*)) dnl - - gen_require(` - type init_t; - ') - - dontaudit $1 init_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Send messages to init unix datagram sockets. -## -## -## -## Domain allowed access. -## -## -## -# - define(`init_dgram_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dgram_send'($*)) dnl - - gen_require(` - type init_t, init_runtime_t; - ') - - dgram_send_pattern($1, init_runtime_t, init_runtime_t, init_t) - files_search_pids($1) - allow $1 init_t:unix_stream_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dgram_send'($*)) dnl - ') - - -######################################## -## -## Read and write to inherited init unix streams. -## -## -## -## Domain allowed access. -## -## -# - define(`init_rw_inherited_stream_socket',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rw_inherited_stream_socket'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:unix_stream_socket { getattr read write ioctl }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rw_inherited_stream_socket'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to read/write to -## init with unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`init_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rw_stream_sockets'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:unix_stream_socket rw_stream_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## start service (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`init_start_system',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_start_system'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:system start; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_start_system'($*)) dnl - ') - - -######################################## -## -## stop service (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`init_stop_system',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_stop_system'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:system stop; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_stop_system'($*)) dnl - ') - - -######################################## -## -## Get all service status (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`init_get_system_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_get_system_status'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:system status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_get_system_status'($*)) dnl - ') - - -######################################## -## -## Enable all systemd services (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`init_enable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_enable'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:system enable; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_enable'($*)) dnl - ') - - -######################################## -## -## Disable all services (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`init_disable',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_disable'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:system disable; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_disable'($*)) dnl - ') - - -######################################## -## -## Reload all services (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`init_reload',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_reload'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:system reload; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_reload'($*)) dnl - ') - - -######################################## -## -## Reboot the system (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`init_reboot_system',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_reboot_system'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:system reboot; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_reboot_system'($*)) dnl - ') - - -######################################## -## -## Shutdown (halt) the system (systemd). -## -## -## -## Domain allowed access. -## -## -# - define(`init_shutdown_system',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_shutdown_system'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:system halt; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_shutdown_system'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get init status -## -## -## -## Domain to allow access. -## -## -# - define(`init_service_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_service_status'($*)) dnl - - gen_require(` - type init_t; - class service status; - ') - - allow $1 init_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_service_status'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get init start -## -## -## -## Domain to allow access. -## -## -# - define(`init_service_start',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_service_start'($*)) dnl - - gen_require(` - type init_t; - class service start; - ') - - allow $1 init_t:service start; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_service_start'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## systemd over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`init_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dbus_chat'($*)) dnl - - gen_require(` - type init_t; - class dbus send_msg; - ') - - allow $1 init_t:dbus send_msg; - allow init_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dbus_chat'($*)) dnl - ') - - -######################################## -## -## read/follow symlinks under /var/lib/systemd/ -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_var_lib_links',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_var_lib_links'($*)) dnl - - gen_require(` - type init_var_lib_t; - ') - - allow $1 init_var_lib_t:dir list_dir_perms; - allow $1 init_var_lib_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_var_lib_links'($*)) dnl - ') - - -######################################## -## -## List /var/lib/systemd/ dir -## -## -## -## Domain allowed access. -## -## -# - define(`init_list_var_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_list_var_lib_dirs'($*)) dnl - - gen_require(` - type init_var_lib_t; - ') - - allow $1 init_var_lib_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_list_var_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel dirs in /var/lib/systemd/. -## -## -## -## Domain allowed access. -## -## -# - define(`init_relabel_var_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_relabel_var_lib_dirs'($*)) dnl - - gen_require(` - type init_var_lib_t; - ') - - allow $1 init_var_lib_t:dir { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_relabel_var_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Manage files in /var/lib/systemd/. -## -## -## -## Domain allowed access. -## -## -# - define(`init_manage_var_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_manage_var_lib_files'($*)) dnl - - gen_require(` - type init_var_lib_t; - ') - - manage_files_pattern($1, init_var_lib_t, init_var_lib_t) - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_manage_var_lib_files'($*)) dnl - ') - - -######################################## -## -## Create files in /var/lib/systemd -## with an automatic type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## -# - define(`init_var_lib_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_var_lib_filetrans'($*)) dnl - - gen_require(` - type init_var_lib_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, init_var_lib_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_var_lib_filetrans'($*)) dnl - ') - - -###################################### -## -## Allow search directory in the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_search_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_search_pids'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - allow $1 init_runtime_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_search_pids'($*)) dnl - ') - - -###################################### -## -## Allow listing of the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_list_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_list_pids'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - allow $1 init_runtime_t:dir list_dir_perms; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_list_pids'($*)) dnl - ') - - -###################################### -## -## Create symbolic links in the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_manage_pid_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_manage_pid_symlinks'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - allow $1 init_runtime_t:lnk_file create_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_manage_pid_symlinks'($*)) dnl - ') - - -###################################### -## -## Create files in the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_create_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_create_pid_files'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - allow $1 init_runtime_t:file create_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_create_pid_files'($*)) dnl - ') - - -###################################### -## -## Write files in the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_write_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_write_pid_files'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - allow $1 init_runtime_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_write_pid_files'($*)) dnl - ') - - -###################################### -## -## Create, read, write, and delete -## directories in the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_manage_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_manage_pid_dirs'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - manage_dirs_pattern($1, init_runtime_t, init_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_manage_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Create files in an init PID directory. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## -# - define(`init_pid_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_pid_filetrans'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - files_search_pids($1) - filetrans_pattern($1, init_runtime_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_pid_filetrans'($*)) dnl - ') - - -######################################## -## -## Get the attributes of initctl. -## -## -## -## Domain allowed access. -## -## -# - define(`init_getattr_initctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getattr_initctl'($*)) dnl - - gen_require(` - type initctl_t; - ') - - files_search_pids($1) - dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getattr_initctl'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the -## attributes of initctl. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_getattr_initctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_initctl'($*)) dnl - - gen_require(` - type initctl_t; - ') - - dontaudit $1 initctl_t:fifo_file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_initctl'($*)) dnl - ') - - -######################################## -## -## Write to initctl. -## -## -## -## Domain allowed access. -## -## -# - define(`init_write_initctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_write_initctl'($*)) dnl - - gen_require(` - type initctl_t; - ') - - dev_list_all_dev_nodes($1) - files_search_pids($1) - allow $1 initctl_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_write_initctl'($*)) dnl - ') - - -######################################## -## -## Use telinit (Read and write initctl). -## -## -## -## Domain allowed access. -## -## -## -# - define(`init_telinit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_telinit'($*)) dnl - - gen_require(` - type initctl_t, init_t; - ') - - ps_process_pattern($1, init_t) - allow $1 init_t:process signal; - # upstart uses a datagram socket instead of initctl pipe - allow $1 self:unix_dgram_socket create_socket_perms; - allow $1 init_t:unix_dgram_socket sendto; - #576913 - allow $1 init_t:unix_stream_socket connectto; - - allow $1 initctl_t:fifo_file rw_fifo_file_perms; - - corecmd_exec_bin($1) - - dev_list_all_dev_nodes($1) - files_search_pids($1) - - init_exec($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_telinit'($*)) dnl - ') - - -######################################## -## -## Read and write initctl. -## -## -## -## Domain allowed access. -## -## -# - define(`init_rw_initctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rw_initctl'($*)) dnl - - gen_require(` - type initctl_t; - ') - - dev_list_all_dev_nodes($1) - files_search_pids($1) - allow $1 initctl_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rw_initctl'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write initctl. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_rw_initctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_initctl'($*)) dnl - - gen_require(` - type initctl_t; - ') - - dontaudit $1 initctl_t:fifo_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_initctl'($*)) dnl - ') - - -######################################## -## -## Make init scripts an entry point for -## the specified domain. -## -## -## -## Domain allowed access. -## -## -# cjp: added for gentoo integrated run_init - define(`init_script_file_entry_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_script_file_entry_type'($*)) dnl - - gen_require(` - type initrc_exec_t; - ') - - # /sbin/runscript is a wrapper for /sbin/rc, so run_init_t - # wants to execute initrc_exec_t (no transition needed anymore) whereas - # runscript previously was a binary - # allow $1 initrc_exec_t:file execute_no_trans; - - domain_entry_file($1, initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_script_file_entry_type'($*)) dnl - ') - - -######################################## -## -## Execute init scripts with a specified domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`init_spec_domtrans_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_spec_domtrans_script'($*)) dnl - - gen_require(` - type initrc_t, initrc_exec_t; - ') - - files_list_etc($1) - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) - - ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; - ') - - ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_spec_domtrans_script'($*)) dnl - ') - - -######################################## -## -## Execute init scripts with an automatic domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`init_domtrans_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_domtrans_script'($*)) dnl - - gen_require(` - type initrc_t, initrc_exec_t; - ') - - files_list_etc($1) - domtrans_pattern($1, initrc_exec_t, initrc_t) - - ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; - ') - - ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; - ') - - ifdef(`distro_gentoo',` - gen_require(` - type rc_exec_t; - ') - - domtrans_pattern($1, rc_exec_t, initrc_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_domtrans_script'($*)) dnl - ') - - -######################################## -## -## Execute labelled init scripts with an automatic domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`init_domtrans_labeled_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_domtrans_labeled_script'($*)) dnl - - gen_require(` - type initrc_t; - attribute init_script_file_type; - attribute initrc_transition_domain; - ') - - typeattribute $1 initrc_transition_domain; - - files_list_etc($1) - domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`enable_mcs',` - range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` - range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_domtrans_labeled_script'($*)) dnl - ') - - -######################################## -## -## Execute a init script in a specified domain. -## -## -##

-## Execute a init script in a specified domain. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# cjp: added for gentoo integrated run_init - define(`init_script_file_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_script_file_domtrans'($*)) dnl - - gen_require(` - type initrc_exec_t; - ') - - files_list_etc($1) - domain_auto_transition_pattern($1, initrc_exec_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_script_file_domtrans'($*)) dnl - ') - - -######################################## -## -## Send a kill signal to init scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`init_kill_scripts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_kill_scripts'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_kill_scripts'($*)) dnl - ') - - -######################################## -## -## Allow manage service for initrc_exec_t scripts -## -## -## -## Target domain -## -## -# - define(`init_manage_script_service',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_manage_script_service'($*)) dnl - - gen_require(` - type initrc_exec_t; - class service { status start stop }; - ') - - allow $1 initrc_exec_t:service { start stop status }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_manage_script_service'($*)) dnl - ') - - -######################################## -## -## Transition to the init script domain -## on a specified labeled init script. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Labeled init script file. -## -## -# - define(`init_labeled_script_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_labeled_script_domtrans'($*)) dnl - - gen_require(` - type initrc_t; - attribute initrc_transition_domain; - ') - - typeattribute $1 initrc_transition_domain; - domtrans_pattern($1, $2, initrc_t) - files_search_etc($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_labeled_script_domtrans'($*)) dnl - ') - - -######################################### -## -## Transition to the init script domain -## for all labeled init script types -## -## -## -## Domain allowed to transition. -## -## -# - define(`init_all_labeled_script_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_all_labeled_script_domtrans'($*)) dnl - - gen_require(` - attribute init_script_file_type; - ') - - init_labeled_script_domtrans($1, init_script_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_all_labeled_script_domtrans'($*)) dnl - ') - - -######################################## -## -## Allow getting service status of initrc_exec_t scripts -## -## -## -## Target domain -## -## -# - define(`init_get_script_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_get_script_status'($*)) dnl - - gen_require(` - type initrc_exec_t; - class service status; - ') - - allow $1 initrc_exec_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_get_script_status'($*)) dnl - ') - - -######################################## -## -## Allow the role to start and stop -## labeled services. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to be performing this action. -## -## -## -## -## Type to be used as a daemon domain. -## -## -## -## -## Labeled init script file. -## -## -## -## -## Systemd unit file type. -## -## -# - define(`init_startstop_service',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_startstop_service'($*)) dnl - - gen_require(` - role system_r; - ') - - # sysvinit/upstart systems will need to use run_init - # if not using direct_sysadm_daemon. - ifdef(`direct_sysadm_daemon',` - init_labeled_script_domtrans($1, $4) - domain_system_change_exemption($1) - role_transition $2 $4 system_r; - allow $2 system_r; - ') - - ifdef(`distro_gentoo',` - # for OpenRC - seutil_labeled_init_script_run_runinit($1, $2, $4) - ') - - ifdef(`init_systemd',` - # This ifelse condition is temporary, until - # all callers are updated to provide unit files. - ifelse(`$5',`',`',` - gen_require(` - class service { start status stop }; - ') - - allow $1 $5:service { start status stop }; - ') - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_startstop_service'($*)) dnl - ') - - -######################################## -## -## Start and stop daemon programs directly. -## -## -##

-## Start and stop daemon programs directly -## in the traditional "/etc/init.d/daemon start" -## style, and do not require run_init. -##

-## -## -## -## Domain allowed access. -## -## -## -## -## The role to be performing this action. -## -## -# - define(`init_run_daemon',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_run_daemon'($*)) dnl - - gen_require(` - attribute init_script_file_type; - role system_r; - ') - - allow $2 system_r; - - init_all_labeled_script_domtrans($1) - role_transition $2 init_script_file_type system_r; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_run_daemon'($*)) dnl - ') - - -######################################## -## -## Start and stop init_script_file_type services -## -## -## -## domain that can start and stop the services -## -## -# - define(`init_startstop_all_script_services',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_startstop_all_script_services'($*)) dnl - - gen_require(` - attribute init_script_file_type; - class service { start status stop }; - ') - - allow $1 init_script_file_type:service { start status stop }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_startstop_all_script_services'($*)) dnl - ') - - -######################################## -## -## Read the process state (/proc/pid) of init. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_state'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:dir search_dir_perms; - allow $1 init_t:file read_file_perms; - allow $1 init_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_state'($*)) dnl - ') - - -######################################## -## -## Dontaudit read the process state (/proc/pid) of init. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_state'($*)) dnl - - gen_require(` - type init_t; - ') - - dontaudit $1 init_t:dir search_dir_perms; - dontaudit $1 init_t:file read_file_perms; - dontaudit $1 init_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_read_state'($*)) dnl - ') - - -######################################## -## -## Ptrace init -## -## -## -## Domain allowed access. -## -## -## -# - define(`init_ptrace',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_ptrace'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:process ptrace; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_ptrace'($*)) dnl - ') - - -######################################## -## -## get init process stats -## -## -## -## Domain allowed access. -## -## -## -# - define(`init_getattr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getattr'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:process getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getattr'($*)) dnl - ') - - -######################################## -## -## Read an init script unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_script_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_script_pipes'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_script_pipes'($*)) dnl - ') - - -######################################## -## -## Write an init script unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# - define(`init_write_script_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_write_script_pipes'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:fifo_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_write_script_pipes'($*)) dnl - ') - - -######################################## -## -## Get the attribute of init script entrypoint files. -## -## -## -## Domain allowed access. -## -## -# - define(`init_getattr_script_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getattr_script_files'($*)) dnl - - gen_require(` - type initrc_exec_t; - ') - - files_list_etc($1) - allow $1 initrc_exec_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getattr_script_files'($*)) dnl - ') - - -######################################## -## -## Read init scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_script_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_script_files'($*)) dnl - - gen_require(` - type initrc_exec_t; - ') - - files_search_etc($1) - allow $1 initrc_exec_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_script_files'($*)) dnl - ') - - -######################################## -## -## Execute init scripts in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`init_exec_script_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_exec_script_files'($*)) dnl - - gen_require(` - type initrc_exec_t; - ') - - files_list_etc($1) - can_exec($1, initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_exec_script_files'($*)) dnl - ') - - -######################################## -## -## Get the attribute of all init script entrypoint files. -## -## -## -## Domain allowed access. -## -## -# - define(`init_getattr_all_script_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getattr_all_script_files'($*)) dnl - - gen_require(` - attribute init_script_file_type; - ') - - files_list_etc($1) - allow $1 init_script_file_type:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getattr_all_script_files'($*)) dnl - ') - - -######################################## -## -## Read all init script files. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_all_script_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_all_script_files'($*)) dnl - - gen_require(` - attribute init_script_file_type; - ') - - files_search_etc($1) - allow $1 init_script_file_type:file read_file_perms; - - ifdef(`distro_gentoo',` - # Bug 554514 - allow $1 init_script_file_type:lnk_file read_lnk_file_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_all_script_files'($*)) dnl - ') - - -####################################### -## -## Dontaudit read all init script files. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_read_all_script_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_all_script_files'($*)) dnl - - gen_require(` - attribute init_script_file_type; - ') - - dontaudit $1 init_script_file_type:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_read_all_script_files'($*)) dnl - ') - - -######################################## -## -## Execute all init scripts in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`init_exec_all_script_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_exec_all_script_files'($*)) dnl - - gen_require(` - attribute init_script_file_type; - ') - - files_list_etc($1) - can_exec($1, init_script_file_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_exec_all_script_files'($*)) dnl - ') - - -######################################## -## -## Read the process state (/proc/pid) of the init scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_script_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_script_state'($*)) dnl - - gen_require(` - type initrc_t; - ') - - kernel_search_proc($1) - ps_process_pattern($1, initrc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_script_state'($*)) dnl - ') - - -######################################## -## -## Inherit and use init script file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`init_use_script_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_use_script_fds'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_use_script_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit -## init script file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_use_script_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_script_fds'($*)) dnl - - gen_require(` - type initrc_t; - ') - - dontaudit $1 initrc_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_use_script_fds'($*)) dnl - ') - - -######################################## -## -## Search init script keys. -## -## -## -## Domain allowed access. -## -## -# - define(`init_search_script_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_search_script_keys'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:key search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_search_script_keys'($*)) dnl - ') - - -######################################## -## -## Get the process group ID of init scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`init_getpgid_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getpgid_script'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process getpgid; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getpgid_script'($*)) dnl - ') - - -######################################## -## -## Send SIGCHLD signals to init scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`init_sigchld_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_sigchld_script'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_sigchld_script'($*)) dnl - ') - - -######################################## -## -## Send generic signals to init scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`init_signal_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_signal_script'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_signal_script'($*)) dnl - ') - - -######################################## -## -## Send null signals to init scripts. -## -## -## -## Domain allowed access. -## -## -# - define(`init_signull_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_signull_script'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_signull_script'($*)) dnl - ') - - -######################################## -## -## Read and write init script unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`init_rw_script_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rw_script_pipes'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:fifo_file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rw_script_pipes'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to connect to -## init scripts with a unix socket. -## -## -## -## Domain allowed access. -## -## -# - define(`init_stream_connect_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_stream_connect_script'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:unix_stream_socket connectto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_stream_connect_script'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to read/write to -## init scripts with a unix domain stream sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`init_rw_script_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rw_script_stream_sockets'($*)) dnl - - gen_require(` - type initrc_t; - ') - - allow $1 initrc_t:unix_stream_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rw_script_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Dont audit the specified domain connecting to -## init scripts with a unix domain stream socket. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_stream_connect_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_stream_connect_script'($*)) dnl - - gen_require(` - type initrc_t; - ') - - dontaudit $1 initrc_t:unix_stream_socket connectto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_stream_connect_script'($*)) dnl - ') - -######################################## -## -## Send messages to init scripts over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`init_dbus_send_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dbus_send_script'($*)) dnl - - gen_require(` - type initrc_t; - class dbus send_msg; - ') - - allow $1 initrc_t:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dbus_send_script'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## init scripts over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`init_dbus_chat_script',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dbus_chat_script'($*)) dnl - - gen_require(` - type initrc_t; - class dbus send_msg; - ') - - allow $1 initrc_t:dbus send_msg; - allow initrc_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dbus_chat_script'($*)) dnl - ') - - -######################################## -## -## Read and write the init script pty. -## -## -##

-## Read and write the init script pty. This -## pty is generally opened by the open_init_pty -## portion of the run_init program so that the -## daemon does not require direct access to -## the administrator terminal. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`init_use_script_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_use_script_ptys'($*)) dnl - - gen_require(` - type initrc_devpts_t; - ') - - term_list_ptys($1) - allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_use_script_ptys'($*)) dnl - ') - - -######################################## -## -## Read and write inherited init script ptys. -## -## -## -## Domain allowed access. -## -## -# - define(`init_use_inherited_script_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_use_inherited_script_ptys'($*)) dnl - - gen_require(` - type initrc_devpts_t; - ') - - term_list_ptys($1) - allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; - - init_use_fds($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_use_inherited_script_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write the init script pty. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_use_script_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_script_ptys'($*)) dnl - - gen_require(` - type initrc_devpts_t; - ') - - dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_use_script_ptys'($*)) dnl - ') - - -######################################## -## -## Get the attributes of init script -## status files. -## -## -## -## Domain allowed access. -## -## -# - define(`init_getattr_script_status_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getattr_script_status_files'($*)) dnl - - gen_require(` - type initrc_state_t; - ') - - getattr_files_pattern($1, initrc_state_t, initrc_state_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getattr_script_status_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read init script -## status files. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_read_script_status_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_script_status_files'($*)) dnl - - gen_require(` - type initrc_state_t; - ') - - dontaudit $1 initrc_state_t:dir search_dir_perms; - dontaudit $1 initrc_state_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_read_script_status_files'($*)) dnl - ') - - -###################################### -## -## Search the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_search_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_search_run'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - files_search_pids($1) - allow $1 init_runtime_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_search_run'($*)) dnl - ') - - -######################################## -## -## Read init script temporary data. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_script_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_script_tmp_files'($*)) dnl - - gen_require(` - type initrc_tmp_t; - ') - - files_search_tmp($1) - read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_script_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read and write init script inherited temporary data. -## -## -## -## Domain allowed access. -## -## -# - define(`init_rw_inherited_script_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rw_inherited_script_tmp_files'($*)) dnl - - gen_require(` - type initrc_tmp_t; - ') - - allow $1 initrc_tmp_t:file rw_inherited_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rw_inherited_script_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read and write init script temporary data. -## -## -## -## Domain allowed access. -## -## -# - define(`init_rw_script_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rw_script_tmp_files'($*)) dnl - - gen_require(` - type initrc_tmp_t; - ') - - files_search_tmp($1) - rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rw_script_tmp_files'($*)) dnl - ') - - -######################################## -## -## Create files in a init script -## temporary data directory. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## -# - define(`init_script_tmp_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_script_tmp_filetrans'($*)) dnl - - gen_require(` - type initrc_tmp_t; - ') - - files_search_tmp($1) - filetrans_pattern($1, initrc_tmp_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_script_tmp_filetrans'($*)) dnl - ') - - -######################################## -## -## Get the attributes of init script process id files. -## -## -## -## Domain allowed access. -## -## -# - define(`init_getattr_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getattr_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - allow $1 initrc_runtime_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getattr_utmp'($*)) dnl - ') - - -######################################## -## -## Read utmp. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - files_list_pids($1) - allow $1 initrc_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_utmp'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write utmp. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_write_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_write_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - dontaudit $1 initrc_runtime_t:file { write lock }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_write_utmp'($*)) dnl - ') - - -######################################## -## -## Write to utmp. -## -## -## -## Domain allowed access. -## -## -# - define(`init_write_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_write_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - files_list_pids($1) - allow $1 initrc_runtime_t:file { getattr open write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_write_utmp'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to lock -## init script pid files. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_lock_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_lock_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - dontaudit $1 initrc_runtime_t:file lock; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_lock_utmp'($*)) dnl - ') - - -######################################## -## -## Read and write utmp. -## -## -## -## Domain allowed access. -## -## -# - define(`init_rw_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rw_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - files_list_pids($1) - allow $1 initrc_runtime_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rw_utmp'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write utmp. -## -## -## -## Domain to not audit. -## -## -# - define(`init_dontaudit_rw_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - dontaudit $1 initrc_runtime_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_utmp'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete utmp. -## -## -## -## Domain allowed access. -## -## -# - define(`init_manage_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_manage_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - files_search_pids($1) - allow $1 initrc_runtime_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_manage_utmp'($*)) dnl - ') - - -######################################## -## -## Relabel utmp. -## -## -## -## Domain allowed access. -## -## -# - define(`init_relabel_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_relabel_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - allow $1 initrc_runtime_t:file { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_relabel_utmp'($*)) dnl - ') - - -######################################## -## -## Create files in /var/run with the -## utmp file type. -## -## -## -## Domain allowed access. -## -## -# - define(`init_pid_filetrans_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_pid_filetrans_utmp'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans_utmp() instead.') - init_runtime_filetrans_utmp($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_pid_filetrans_utmp'($*)) dnl - ') - - -######################################## -## -## Create files in /var/run with the -## utmp file type. -## -## -## -## Domain allowed access. -## -## -# - define(`init_runtime_filetrans_utmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_runtime_filetrans_utmp'($*)) dnl - - gen_require(` - type initrc_runtime_t; - ') - - files_pid_filetrans($1, initrc_runtime_t, file, "utmp") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_runtime_filetrans_utmp'($*)) dnl - ') - - -####################################### -## -## Create a directory in the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_create_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_create_pid_dirs'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_dirs() instead.') - init_create_runtime_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_create_pid_dirs'($*)) dnl - ') - - -####################################### -## -## Create a directory in the /run/systemd directory. -## -## -## -## Domain allowed access. -## -## -# - define(`init_create_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_create_runtime_dirs'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - allow $1 init_runtime_t:dir list_dir_perms; - create_dirs_pattern($1, init_runtime_t, init_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_create_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Rename init_runtime_t files -## -## -## -## domain -## -## -# - define(`init_rename_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rename_pid_files'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use init_rename_runtime_files() instead.') - init_rename_runtime_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rename_pid_files'($*)) dnl - ') - - -######################################## -## -## Rename init_runtime_t files -## -## -## -## domain -## -## -# - define(`init_rename_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_rename_runtime_files'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - rename_files_pattern($1, init_runtime_t, init_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_rename_runtime_files'($*)) dnl - ') - - -######################################## -## -## Delete init_runtime_t files -## -## -## -## domain -## -## -# - define(`init_delete_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_delete_pid_files'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use init_delete_runtime_files() instead.') - init_delete_runtime_files($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_delete_pid_files'($*)) dnl - ') - - -######################################## -## -## Delete init_runtime_t files -## -## -## -## domain -## -## -# - define(`init_delete_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_delete_runtime_files'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - delete_files_pattern($1, init_runtime_t, init_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_delete_runtime_files'($*)) dnl - ') - - -####################################### -## -## Allow the specified domain to write to -## init sock file. -## -## -## -## Domain allowed access. -## -## -# - define(`init_write_pid_socket',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_write_pid_socket'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_socket() instead.') - init_write_runtime_socket($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_write_pid_socket'($*)) dnl - ') - - -####################################### -## -## Allow the specified domain to write to -## init sock file. -## -## -## -## Domain allowed access. -## -## -# - define(`init_write_runtime_socket',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_write_runtime_socket'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - allow $1 init_runtime_t:sock_file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_write_runtime_socket'($*)) dnl - ') - - -######################################## -## -## Read init unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_pid_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_pid_pipes'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use init_read_runtime_pipes() instead.') - init_read_runtime_pipes($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_pid_pipes'($*)) dnl - ') - - -######################################## -## -## Read init unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_runtime_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_runtime_pipes'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - read_fifo_files_pattern($1, init_runtime_t, init_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_runtime_pipes'($*)) dnl - ') - - -###################################### -## -## read systemd unit symlinks (usually under /run/systemd/units/) -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_runtime_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_runtime_symlinks'($*)) dnl - - gen_require(` - type init_runtime_t; - ') - - read_lnk_files_pattern($1, init_runtime_t, init_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_runtime_symlinks'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to connect to daemon with a tcp socket -## -## -## -## Domain allowed access. -## -## -# - define(`init_tcp_recvfrom_all_daemons',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_tcp_recvfrom_all_daemons'($*)) dnl - - gen_require(` - attribute daemon; - ') - - corenet_tcp_recvfrom_labeled($1, daemon) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_tcp_recvfrom_all_daemons'($*)) dnl - ') - - -######################################## -## -## Allow the specified domain to connect to daemon with a udp socket -## -## -## -## Domain allowed access. -## -## -# - define(`init_udp_recvfrom_all_daemons',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_udp_recvfrom_all_daemons'($*)) dnl - - gen_require(` - attribute daemon; - ') - corenet_udp_recvfrom_labeled($1, daemon) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_udp_recvfrom_all_daemons'($*)) dnl - ') - - -# This should be behind an ifdef distro_gentoo but this is not allowed here - -######################################### -## -## Allow reading the init script state files -## -## -## -## Domain allowed access -## -## -# - define(`init_read_script_status_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_script_status_files'($*)) dnl - - gen_require(` - type initrc_state_t; - ') - - read_files_pattern($1, initrc_state_t, initrc_state_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_script_status_files'($*)) dnl - ') - - -######################################### -## -## Label to init script status files -## -## -## -## Domain allowed access -## -## -# - define(`init_relabelto_script_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_relabelto_script_state'($*)) dnl - - gen_require(` - type initrc_state_t; - ') - - relabelto_files_pattern($1, initrc_state_t, initrc_state_t) - relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_relabelto_script_state'($*)) dnl - ') - - -######################################### -## -## Mark as a readable type for the initrc_t domain -## -## -## -## Type that initrc_t needs read access to -## -## -# - define(`init_script_readable_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_script_readable_type'($*)) dnl - - gen_require(` - attribute init_script_readable; - ') - - typeattribute $1 init_script_readable; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_script_readable_type'($*)) dnl - ') - - -###################################### -## -## Search systemd unit dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`init_search_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_search_units'($*)) dnl - - gen_require(` - type init_runtime_t, systemd_unit_t; - ') - - search_dirs_pattern($1, init_runtime_t, systemd_unit_t) - - # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd - files_search_etc($1) - files_search_usr($1) - libs_search_lib($1) - - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_search_units'($*)) dnl - ') - - -###################################### -## -## List systemd unit dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`init_list_unit_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_list_unit_dirs'($*)) dnl - - gen_require(` - type systemd_unit_t; - ') - - allow $1 systemd_unit_t:dir list_dir_perms; - - init_search_units($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_list_unit_dirs'($*)) dnl - ') - - -######################################## -## -## Read systemd unit links -## -## -## -## Domain allowed access. -## -## -# - define(`init_read_generic_units_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_read_generic_units_symlinks'($*)) dnl - - gen_require(` - type systemd_unit_t; - ') - - allow $1 systemd_unit_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_read_generic_units_symlinks'($*)) dnl - ') - - -######################################## -## -## Get status of generic systemd units. -## -## -## -## Domain allowed access. -## -## -# - define(`init_get_generic_units_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_get_generic_units_status'($*)) dnl - - gen_require(` - type systemd_unit_t; - class service status; - ') - - allow $1 systemd_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_get_generic_units_status'($*)) dnl - ') - - -######################################## -## -## Start generic systemd units. -## -## -## -## Domain allowed access. -## -## -# - define(`init_start_generic_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_start_generic_units'($*)) dnl - - gen_require(` - type systemd_unit_t; - class service start; - ') - - allow $1 systemd_unit_t:service start; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_start_generic_units'($*)) dnl - ') - - -######################################## -## -## Stop generic systemd units. -## -## -## -## Domain to not audit. -## -## -# - define(`init_stop_generic_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_stop_generic_units'($*)) dnl - - gen_require(` - type systemd_unit_t; - class service stop; - ') - - allow $1 systemd_unit_t:service stop; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_stop_generic_units'($*)) dnl - ') - - -####################################### -## -## Reload generic systemd units. -## -## -## -## Domain allowed access. -## -## -# - define(`init_reload_generic_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_reload_generic_units'($*)) dnl - - gen_require(` - type systemd_unit_t; - class service reload; - ') - - allow $1 systemd_unit_t:service reload; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_reload_generic_units'($*)) dnl - ') - - -######################################## -## -## Get status of all systemd units. -## -## -## -## Domain allowed access. -## -## -# - define(`init_get_all_units_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_get_all_units_status'($*)) dnl - - gen_require(` - attribute init_script_file_type, systemdunit; - class service status; - ') - - allow $1 { init_script_file_type systemdunit }:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_get_all_units_status'($*)) dnl - ') - - -####################################### -## -## All perms on all systemd units. -## -## -## -## Domain allowed access. -## -## -# - define(`init_manage_all_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_manage_all_units'($*)) dnl - - gen_require(` - attribute systemdunit; - class service all_service_perms; - ') - - allow $1 systemdunit:service all_service_perms; - allow $1 systemdunit:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_manage_all_units'($*)) dnl - ') - - -######################################## -## -## Start all systemd units. -## -## -## -## Domain allowed access. -## -## -# - define(`init_start_all_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_start_all_units'($*)) dnl - - gen_require(` - attribute init_script_file_type, systemdunit; - class service start; - ') - - allow $1 { init_script_file_type systemdunit }:service start; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_start_all_units'($*)) dnl - ') - - -######################################## -## -## Stop all systemd units. -## -## -## -## Domain to not audit. -## -## -# - define(`init_stop_all_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_stop_all_units'($*)) dnl - - gen_require(` - attribute init_script_file_type, systemdunit; - class service stop; - ') - - allow $1 { init_script_file_type systemdunit }:service stop; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_stop_all_units'($*)) dnl - ') - - -####################################### -## -## Reload all systemd units. -## -## -## -## Domain allowed access. -## -## -# - define(`init_reload_all_units',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_reload_all_units'($*)) dnl - - gen_require(` - attribute init_script_file_type, systemdunit; - class service reload; - ') - - allow $1 { init_script_file_type systemdunit }:service reload; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_reload_all_units'($*)) dnl - ') - - -######################################## -## -## Allow unconfined access to send instructions to init -## -## -## -## Target domain -## -## -# - define(`init_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_admin'($*)) dnl - - dev_manage_null_service($1) - init_disable($1) - init_enable($1) - init_get_all_units_status($1) - init_get_generic_units_status($1) - init_get_system_status($1) - init_manage_all_units($1) - init_manage_script_service($1) - init_reboot_system($1) - init_reload($1) - init_reload_all_units($1) - init_shutdown_system($1) - init_start_system($1) - init_start_all_units($1) - init_start_generic_units($1) - init_stop_all_units($1) - init_stop_generic_units($1) - init_stop_system($1) - init_telinit($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_admin'($*)) dnl - ') - - -######################################## -## -## Allow getting init_t rlimit -## -## -## -## Source domain -## -## -# - define(`init_getrlimit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `init_getrlimit'($*)) dnl - - gen_require(` - type init_t; - ') - - allow $1 init_t:process getrlimit; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `init_getrlimit'($*)) dnl - ') - -## Policy for local logins. - -######################################## -## -## Execute local logins in the local login domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`locallogin_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locallogin_domtrans'($*)) dnl - - gen_require(` - type local_login_t; - ') - - auth_domtrans_login_program($1, local_login_t) - - ifdef(`enable_mcs',` - auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locallogin_domtrans'($*)) dnl - ') - - -######################################## -## -## Allow calling domain to read locallogin state. -## -## -## -## Domain allowed permission. -## -## -# - define(`locallogin_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locallogin_read_state'($*)) dnl - - gen_require(` - type local_login_t; - ') - - kernel_search_proc($1) - allow $1 local_login_t:file read_file_perms; - allow $1 local_login_t:lnk_file read_lnk_file_perms; - allow $1 local_login_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locallogin_read_state'($*)) dnl - ') - - -######################################## -## -## Allow processes to inherit local login file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`locallogin_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locallogin_use_fds'($*)) dnl - - gen_require(` - type local_login_t; - ') - - allow $1 local_login_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locallogin_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit local login file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`locallogin_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locallogin_dontaudit_use_fds'($*)) dnl - - gen_require(` - type local_login_t; - ') - - dontaudit $1 local_login_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locallogin_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Send a null signal to local login processes. -## -## -## -## Domain allowed access. -## -## -# - define(`locallogin_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locallogin_signull'($*)) dnl - - gen_require(` - type local_login_t; - ') - - allow $1 local_login_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locallogin_signull'($*)) dnl - ') - - -######################################## -## -## Search for key. -## -## -## -## Domain allowed access. -## -## -# - define(`locallogin_search_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locallogin_search_keys'($*)) dnl - - gen_require(` - type local_login_t; - ') - - allow $1 local_login_t:key search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locallogin_search_keys'($*)) dnl - ') - - -######################################## -## -## Allow link to the local_login key ring. -## -## -## -## Domain allowed access. -## -## -# - define(`locallogin_link_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locallogin_link_keys'($*)) dnl - - gen_require(` - type local_login_t; - ') - - allow $1 local_login_t:key link; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locallogin_link_keys'($*)) dnl - ') - - -######################################## -## -## Execute single-user logins in the single-user login domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`locallogin_domtrans_sulogin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `locallogin_domtrans_sulogin'($*)) dnl - - gen_require(` - type sulogin_exec_t, sulogin_t; - ') - - domtrans_pattern($1, sulogin_exec_t, sulogin_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `locallogin_domtrans_sulogin'($*)) dnl - ') - -## PCMCIA card management services. - -######################################## -## -## PCMCIA stub interface. No access allowed. -## -## -## -## Domain allowed access. -## -## -# - define(`pcmcia_stub',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcmcia_stub'($*)) dnl - - gen_require(` - type cardmgr_t; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcmcia_stub'($*)) dnl - ') - - -######################################## -## -## Execute cardmgr in the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`pcmcia_domtrans_cardmgr',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcmcia_domtrans_cardmgr'($*)) dnl - - gen_require(` - type cardmgr_t, cardmgr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cardmgr_exec_t, cardmgr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcmcia_domtrans_cardmgr'($*)) dnl - ') - - -######################################## -## -## Inherit and use cardmgr file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`pcmcia_use_cardmgr_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcmcia_use_cardmgr_fds'($*)) dnl - - gen_require(` - type cardmgr_t; - ') - - allow $1 cardmgr_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcmcia_use_cardmgr_fds'($*)) dnl - ') - - -######################################## -## -## Execute cardctl in the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`pcmcia_domtrans_cardctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcmcia_domtrans_cardctl'($*)) dnl - - gen_require(` - type cardmgr_t, cardctl_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, cardctl_exec_t, cardmgr_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcmcia_domtrans_cardctl'($*)) dnl - ') - - -######################################## -## -## Execute cardctl in the cardmgr -## domain, and allow the specified -## role the cardmgr domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`pcmcia_run_cardctl',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcmcia_run_cardctl'($*)) dnl - - gen_require(` - attribute_role cardmgr_roles; - ') - - pcmcia_domtrans_cardctl($1) - roleattribute $2 cardmgr_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcmcia_run_cardctl'($*)) dnl - ') - - -######################################## -## -## Read cardmgr pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`pcmcia_read_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcmcia_read_pid'($*)) dnl - - gen_require(` - type cardmgr_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, cardmgr_runtime_t, cardmgr_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcmcia_read_pid'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## cardmgr pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`pcmcia_manage_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcmcia_manage_pid'($*)) dnl - - gen_require(` - type cardmgr_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, cardmgr_runtime_t, cardmgr_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcmcia_manage_pid'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## cardmgr runtime character nodes. -## -## -## -## Domain allowed access. -## -## -# - define(`pcmcia_manage_pid_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `pcmcia_manage_pid_chr_files'($*)) dnl - - gen_require(` - type cardmgr_runtime_t; - ') - - files_search_pids($1) - manage_chr_files_pattern($1, cardmgr_runtime_t, cardmgr_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `pcmcia_manage_pid_chr_files'($*)) dnl - ') - -## Tools for filesystem management, such as mkfs and fsck. - -######################################## -## -## Execute fs tools in the fstools domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`fstools_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_domtrans'($*)) dnl - - gen_require(` - type fsadm_t, fsadm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, fsadm_exec_t, fsadm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute fs tools in the fstools domain, and -## allow the specified role the fs tools domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`fstools_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_run'($*)) dnl - - gen_require(` - type fsadm_t; - ') - - fstools_domtrans($1) - role $2 types fsadm_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_run'($*)) dnl - ') - - -######################################## -## -## Execute fsadm in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_exec'($*)) dnl - - gen_require(` - type fsadm_exec_t; - ') - - can_exec($1, fsadm_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_exec'($*)) dnl - ') - - -######################################## -## -## Send signal to fsadm process -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_signal'($*)) dnl - - gen_require(` - type fsadm_t; - ') - - allow $1 fsadm_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_signal'($*)) dnl - ') - - -######################################## -## -## Inherit fstools file descriptors. -## -## -## -## The type of the process performing this action. -## -## -# - define(`fstools_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_use_fds'($*)) dnl - - gen_require(` - type fsadm_t; - ') - - allow $1 fsadm_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_use_fds'($*)) dnl - ') - - -######################################## -## -## Read fstools unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_read_pipes'($*)) dnl - - gen_require(` - type fsadm_t; - ') - - allow $1 fsadm_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_read_pipes'($*)) dnl - ') - - -######################################## -## -## Relabel a file to the type used by the -## filesystem tools programs. -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_relabelto_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_relabelto_entry_files'($*)) dnl - - gen_require(` - type fsadm_exec_t; - ') - - allow $1 fsadm_exec_t:file relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_relabelto_entry_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete a file used by the -## filesystem tools programs. -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_manage_entry_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_manage_entry_files'($*)) dnl - - gen_require(` - type fsadm_exec_t; - ') - - allow $1 fsadm_exec_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_manage_entry_files'($*)) dnl - ') - - -######################################## -## -## Write to fsadm_log_t -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_write_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_write_log'($*)) dnl - - gen_require(` - type fsadm_log_t; - ') - - allow $1 fsadm_log_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_write_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete filesystem tools -## runtime files. -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_manage_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_manage_runtime_files'($*)) dnl - - gen_require(` - type fsadm_run_t; - ') - - manage_files_pattern($1, fsadm_run_t, fsadm_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_manage_runtime_files'($*)) dnl - ') - - -######################################## -## -## Getattr swapfile -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_getattr_swap_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_getattr_swap_files'($*)) dnl - - gen_require(` - type swapfile_t; - ') - - allow $1 swapfile_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_getattr_swap_files'($*)) dnl - ') - - -######################################## -## -## Ignore access to a swapfile. -## -## -## -## Domain to not audit. -## -## -# - define(`fstools_dontaudit_getattr_swap_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_dontaudit_getattr_swap_files'($*)) dnl - - gen_require(` - type swapfile_t; - ') - - dontaudit $1 swapfile_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_dontaudit_getattr_swap_files'($*)) dnl - ') - - -######################################## -## -## Relabel to swapfile. -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_relabelto_swap_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_relabelto_swap_files'($*)) dnl - - gen_require(` - type swapfile_t; - ') - - allow $1 swapfile_t:file relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_relabelto_swap_files'($*)) dnl - ') - - -######################################## -## -## Manage swapfile. -## -## -## -## Domain allowed access. -## -## -# - define(`fstools_manage_swap_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `fstools_manage_swap_files'($*)) dnl - - gen_require(` - type swapfile_t; - ') - - allow $1 swapfile_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `fstools_manage_swap_files'($*)) dnl - ') - -## NetLabel/CIPSO labeled networking management - -######################################## -## -## Execute netlabel_mgmt in the netlabel_mgmt domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`netlabel_domtrans_mgmt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netlabel_domtrans_mgmt'($*)) dnl - - gen_require(` - type netlabel_mgmt_t, netlabel_mgmt_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, netlabel_mgmt_exec_t, netlabel_mgmt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netlabel_domtrans_mgmt'($*)) dnl - ') - - -######################################## -## -## Execute netlabel_mgmt in the netlabel_mgmt domain, and -## allow the specified role the netlabel_mgmt domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`netlabel_run_mgmt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `netlabel_run_mgmt'($*)) dnl - - gen_require(` - type netlabel_mgmt_t; - ') - - netlabel_domtrans_mgmt($1) - role $2 types netlabel_mgmt_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `netlabel_run_mgmt'($*)) dnl - ') - -## Collection of tools for managing UNIX services. - -######################################## -## -## An ipc channel between the -## supervised domain and svc_start_t. -## -## -## -## Domain allowed access. -## -## -# - define(`daemontools_ipc_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_ipc_domain'($*)) dnl - - gen_require(` - type svc_start_t; - ') - - allow $1 svc_start_t:process sigchld; - allow $1 svc_start_t:fd use; - allow $1 svc_start_t:fifo_file rw_fifo_file_perms; - allow svc_start_t $1:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_ipc_domain'($*)) dnl - ') - - -######################################## -## -## Create a domain which can be -## started by daemontools. -## -## -## -## Type to be used as a domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -# - define(`daemontools_service_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_service_domain'($*)) dnl - - gen_require(` - type svc_run_t; - ') - - domain_auto_transition_pattern(svc_run_t, $2, $1) - daemontools_ipc_domain($1) - - allow svc_run_t $1:process signal; - allow $1 svc_run_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_service_domain'($*)) dnl - ') - - -######################################## -## -## Execute svc start in the svc -## start domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`daemontools_domtrans_start',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_start'($*)) dnl - - gen_require(` - type svc_start_t, svc_start_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, svc_start_exec_t, svc_start_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_domtrans_start'($*)) dnl - ') - - -###################################### -## -## Execute svc start in the svc -## start domain, and allow the -## specified role the svc start domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`daemonstools_run_start',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemonstools_run_start'($*)) dnl - - gen_require(` - attribute_role svc_start_roles; - ') - - daemontools_domtrans_start($1) - roleattribute $2 svc_start_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemonstools_run_start'($*)) dnl - ') - - -######################################## -## -## Execute avc run in the svc run domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`daemontools_domtrans_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_run'($*)) dnl - - gen_require(` - type svc_run_t, svc_run_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, svc_run_exec_t, svc_run_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_domtrans_run'($*)) dnl - ') - - -###################################### -## -## Send child terminated signals -## to svc run. -## -## -## -## Domain allowed access. -## -## -# - define(`daemontools_sigchld_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_sigchld_run'($*)) dnl - - gen_require(` - type svc_run_t; - ') - - allow $1 svc_run_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_sigchld_run'($*)) dnl - ') - - -######################################## -## -## Execute avc multilog in the svc -## multilog domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`daemontools_domtrans_multilog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_multilog'($*)) dnl - - gen_require(` - type svc_multilog_t, svc_multilog_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_domtrans_multilog'($*)) dnl - ') - - -###################################### -## -## Search svc svc directories. -## -## -## -## Domain allowed access. -## -## -# - define(`daemontools_search_svc_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_search_svc_dir'($*)) dnl - - gen_require(` - type svc_svc_t; - ') - - files_search_var($1) - allow $1 svc_svc_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_search_svc_dir'($*)) dnl - ') - - -######################################## -## -## Read svc avc files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`daemontools_read_svc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_read_svc'($*)) dnl - - gen_require(` - type svc_svc_t; - ') - - files_search_var($1) - allow $1 svc_svc_t:dir list_dir_perms; - allow $1 svc_svc_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_read_svc'($*)) dnl - ') - - -######################################## -## -## Create, read, write and delete -## svc svc content. -## -## -## -## Domain allowed access. -## -## -## -# - define(`daemontools_manage_svc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `daemontools_manage_svc'($*)) dnl - - gen_require(` - type svc_svc_t; - ') - - files_search_var($1) - allow $1 svc_svc_t:dir manage_dir_perms; - allow $1 svc_svc_t:fifo_file manage_fifo_file_perms; - allow $1 svc_svc_t:file manage_file_perms; - allow $1 svc_svc_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `daemontools_manage_svc'($*)) dnl - ') - -## Policy for changing the system host name. - -######################################## -## -## Execute hostname in the hostname domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hostname_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hostname_domtrans'($*)) dnl - - gen_require(` - type hostname_t, hostname_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hostname_exec_t, hostname_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hostname_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute hostname in the hostname domain, and -## allow the specified role the hostname domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`hostname_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hostname_run'($*)) dnl - - gen_require(` - type hostname_t; - ') - - hostname_domtrans($1) - role $2 types hostname_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hostname_run'($*)) dnl - ') - - -######################################## -## -## Execute hostname in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`hostname_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hostname_exec'($*)) dnl - - gen_require(` - type hostname_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, hostname_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hostname_exec'($*)) dnl - ') - -## Policy for kernel module utilities - -###################################### -## -## Getattr the dependencies of kernel modules. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_getattr_module_deps',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_getattr_module_deps'($*)) dnl - - gen_require(` - type modules_dep_t, modules_object_t; - ') - - getattr_files_pattern($1, modules_object_t, modules_dep_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_getattr_module_deps'($*)) dnl - ') - - -######################################## -## -## Read the dependencies of kernel modules. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_read_module_deps',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_read_module_deps'($*)) dnl - - gen_require(` - type modules_dep_t; - ') - - files_list_kernel_modules($1) - allow $1 modules_dep_t:file { read_file_perms map }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_read_module_deps'($*)) dnl - ') - - -######################################## -## -## Read the kernel modules. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_read_module_objects',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_read_module_objects'($*)) dnl - - gen_require(` - type modules_object_t; - ') - - files_list_kernel_modules($1) - allow $1 modules_object_t:file { read_file_perms map }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_read_module_objects'($*)) dnl - ') - - -######################################## -## -## Read the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -## -# - define(`modutils_read_module_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_read_module_config'($*)) dnl - - gen_require(` - type modules_conf_t; - ') - - # This file type can be in /etc or - # /lib(64)?/modules - files_search_etc($1) - files_search_boot($1) - - allow $1 modules_conf_t:dir list_dir_perms; - allow $1 modules_conf_t:file read_file_perms; - allow $1 modules_conf_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_read_module_config'($*)) dnl - ') - - -######################################## -## -## Rename a file with the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_rename_module_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_rename_module_config'($*)) dnl - - gen_require(` - type modules_conf_t; - ') - - rename_files_pattern($1, modules_conf_t, modules_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_rename_module_config'($*)) dnl - ') - - -######################################## -## -## Unlink a file with the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_delete_module_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_delete_module_config'($*)) dnl - - gen_require(` - type modules_conf_t; - ') - - delete_files_pattern($1, modules_conf_t, modules_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_delete_module_config'($*)) dnl - ') - - -######################################## -## -## Manage files with the configuration options used when -## loading modules. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_manage_module_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_manage_module_config'($*)) dnl - - gen_require(` - type modules_conf_t; - ') - - manage_files_pattern($1, modules_conf_t, modules_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_manage_module_config'($*)) dnl - ') - - -######################################## -## -## Execute any modutil, -## like insmod, kmod, depmod or updates-modules, -## in the kmod domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`modutils_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_domtrans'($*)) dnl - - gen_require(` - type kmod_t, kmod_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, kmod_exec_t, kmod_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute any modutil, -## like insmod, kmod, depmod or updates-modules, -## in the kmod domain, and allow the specified role -## the kmod domain, and use the caller's terminal. -## Has a sigchld backchannel. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`modutils_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_run'($*)) dnl - - gen_require(` - attribute_role kmod_roles; - ') - - modutils_domtrans($1) - roleattribute $2 kmod_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_run'($*)) dnl - ') - - -######################################## -## -## Execute any modutil, -## like insmod, kmod, depmod or updates-modules, -## in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_exec'($*)) dnl - - gen_require(` - type kmod_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, kmod_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_exec'($*)) dnl - ') - - -######################################## -## -## Unconditionally execute insmod in the insmod domain. -## -## -## -## Domain allowed to transition. -## -## -# -# cjp: this is added for pppd, due to nested -# conditionals not working. - define(`modutils_domtrans_insmod_uncond',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_domtrans_insmod_uncond'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.') - modutils_domtrans($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_domtrans_insmod_uncond'($*)) dnl - ') - - -######################################## -## -## Execute insmod in the insmod domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`modutils_domtrans_insmod',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_domtrans_insmod'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.') - modutils_domtrans($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_domtrans_insmod'($*)) dnl - ') - - -######################################## -## -## Execute insmod in the insmod domain, and -## allow the specified role the insmod domain, -## and use the caller's terminal. Has a sigchld -## backchannel. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`modutils_run_insmod',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_run_insmod'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.') - modutils_run($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_run_insmod'($*)) dnl - ') - - -######################################## -## -## Execute insmod in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_exec_insmod',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_exec_insmod'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.') - modutils_exec($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_exec_insmod'($*)) dnl - ') - - -######################################## -## -## Execute depmod in the depmod domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`modutils_domtrans_depmod',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_domtrans_depmod'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.') - modutils_domtrans($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_domtrans_depmod'($*)) dnl - ') - - -######################################## -## -## Execute depmod in the depmod domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`modutils_run_depmod',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_run_depmod'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.') - modutils_run($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_run_depmod'($*)) dnl - ') - - -######################################## -## -## Execute depmod in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_exec_depmod',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_exec_depmod'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.') - modutils_exec($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_exec_depmod'($*)) dnl - ') - - -######################################## -## -## Execute update_modules in the update_modules domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`modutils_domtrans_update_mods',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_domtrans_update_mods'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_domtrans() instead.') - modutils_domtrans($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_domtrans_update_mods'($*)) dnl - ') - - -######################################## -## -## Execute update_modules in the update_modules domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`modutils_run_update_mods',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_run_update_mods'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_run() instead.') - modutils_run($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_run_update_mods'($*)) dnl - ') - - -######################################## -## -## Execute update_modules in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_exec_update_mods',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_exec_update_mods'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated, please use modutils_exec() instead.') - modutils_exec($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_exec_update_mods'($*)) dnl - ') - - -######################################## -## -## Read kmod lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`modutils_read_var_run_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `modutils_read_var_run_files'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `modutils_read_var_run_files'($*)) dnl - ') - -## Policy for user domains - -####################################### -## -## The template containing the most basic rules common to all users. -## -## -##

-## The template containing the most basic rules common to all users. -##

-##

-## This template creates a user domain, types, and -## rules for the user's tty and pty. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# - define(`userdom_base_user_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_base_user_template'($*)) dnl - - - gen_require(` - attribute userdomain; - type user_devpts_t, user_tty_device_t; - class context contains; - role $1_r; - ') - - attribute $1_file_type; - - type $1_t, userdomain; - domain_type($1_t) - corecmd_shell_entry_type($1_t) - corecmd_bin_entry_type($1_t) - domain_user_exemption_target($1_t) - ubac_constrained($1_t) - role $1_r types $1_t; - allow system_r $1_r; - - term_user_pty($1_t, user_devpts_t) - - term_user_tty($1_t, user_tty_device_t) - - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; - allow $1_t self:key manage_key_perms; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; - allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow $1_t self:shm create_shm_perms; - allow $1_t self:sem create_sem_perms; - allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; - allow $1_t self:context contains; - dontaudit $1_t self:socket create; - - allow $1_t user_devpts_t:chr_file { setattr rw_chr_file_perms }; - term_create_pty($1_t, user_devpts_t) - # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_devpts_t:chr_file ioctl; - - allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; - # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_tty_device_t:chr_file ioctl; - - kernel_read_kernel_sysctls($1_t) - kernel_dontaudit_list_unlabeled($1_t) - kernel_dontaudit_getattr_unlabeled_files($1_t) - kernel_dontaudit_getattr_unlabeled_symlinks($1_t) - kernel_dontaudit_getattr_unlabeled_pipes($1_t) - kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_blk_files($1_t) - kernel_dontaudit_getattr_unlabeled_chr_files($1_t) - - dev_dontaudit_getattr_all_blk_files($1_t) - dev_dontaudit_getattr_all_chr_files($1_t) - - # for X session unlock - allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; - - # for KDE - allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms; - - # When the user domain runs ps, there will be a number of access - # denials when ps tries to search /proc. Do not audit these denials. - domain_dontaudit_read_all_domains_state($1_t) - domain_dontaudit_getattr_all_domains($1_t) - domain_dontaudit_getsession_all_domains($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) - files_read_usr_files($1_t) - # Read directories and files with the readable_t type. - # This type is a general type for "world"-readable files. - files_list_world_readable($1_t) - files_read_world_readable_files($1_t) - files_read_world_readable_symlinks($1_t) - files_read_world_readable_pipes($1_t) - files_read_world_readable_sockets($1_t) - # old broswer_domain(): - files_dontaudit_list_non_security($1_t) - files_dontaudit_getattr_non_security_files($1_t) - files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_sockets($1_t) - - libs_exec_ld_so($1_t) - - miscfiles_read_localization($1_t) - miscfiles_read_generic_certs($1_t) - - sysnet_read_config($1_t) - - # kdeinit wants systemd status - init_get_system_status($1_t) - - optional_policy(` - apt_read_cache($1_t) - apt_read_db($1_t) - ') - - tunable_policy(`allow_execmem',` - # Allow loading DSOs that require executable stack. - allow $1_t self:process execmem; - ') - - tunable_policy(`allow_execmem && allow_execstack',` - # Allow making the stack executable via mprotect. - allow $1_t self:process execstack; - ') - - optional_policy(` - devicekit_dbus_chat_disk($1_t) - devicekit_dbus_chat_power($1_t) - ') - - optional_policy(` - kerneloops_dbus_chat($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_base_user_template'($*)) dnl - ') - - -####################################### -## -## Template for handling user content through standard tunables -## -## -##

-## This template generates the tunable blocks for accessing -## end user content, either the generic one (user_home_t) -## or the complete one (based on user_home_content_type). -##

-##

-## It calls the *_read_generic_user_content, -## *_read_all_user_content, *_manage_generic_user_content, and -## *_manage_all_user_content booleans. -##

-## -## -## -## The application domain prefix to use, meant for the boolean -## calls -## -## -## -## -## The application domain which is granted the necessary privileges -## -## -## -# - define(`userdom_user_content_access_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_content_access_template'($*)) dnl - - ## - ##

- ## Grant the $1 domains read access to generic user content - ##

- ## - gen_tunable(`$1_read_generic_user_content', true) - - ## - ##

- ## Grant the $1 domains read access to all user content - ##

- ## - gen_tunable(`$1_read_all_user_content', false) - - ## - ##

- ## Grant the $1 domains manage rights on generic user content - ##

- ## - gen_tunable(`$1_manage_generic_user_content', false) - - ## - ##

- ## Grant the $1 domains manage rights on all user content - ##

- ## - gen_tunable(`$1_manage_all_user_content', false) - - tunable_policy(`$1_read_generic_user_content',` - userdom_list_user_tmp($2) - userdom_list_user_home_content($2) - userdom_read_user_home_content_files($2) - userdom_read_user_home_content_symlinks($2) - userdom_read_user_tmp_files($2) - userdom_read_user_tmp_symlinks($2) - ',` - files_dontaudit_list_home($2) - files_dontaudit_list_tmp($2) - - userdom_dontaudit_list_user_home_dirs($2) - userdom_dontaudit_list_user_tmp($2) - userdom_dontaudit_read_user_home_content_files($2) - userdom_dontaudit_read_user_tmp_files($2) - ') - - tunable_policy(`$1_read_all_user_content',` - userdom_list_user_tmp($2) - userdom_read_all_user_home_content($2) - ') - - tunable_policy(`$1_manage_generic_user_content',` - userdom_manage_user_tmp_dirs($2) - userdom_manage_user_tmp_files($2) - userdom_manage_user_tmp_symlinks($2) - userdom_manage_user_home_content_dirs($2) - userdom_manage_user_home_content_files($2) - userdom_manage_user_home_content_symlinks($2) - ') - - tunable_policy(`$1_manage_all_user_content',` - userdom_manage_all_user_home_content($2) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_content_access_template'($*)) dnl - ') - - -####################################### -## -## Allow a home directory for which the -## role has read-only access. -## -## -##

-## Allow a home directory for which the -## role has read-only access. -##

-##

-## This does not allow execute access. -##

-## -## -## -## The user role -## -## -## -## -## The user domain -## -## -## -# - define(`userdom_ro_home_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_ro_home_role'($*)) dnl - - gen_require(` - type user_home_t, user_home_dir_t; - ') - - ############################## - # - # Domain access to home dir - # - - type_member $2 user_home_dir_t:dir user_home_dir_t; - - # read-only home directory - allow $2 user_home_dir_t:dir list_dir_perms; - allow $2 user_home_t:dir list_dir_perms; - allow $2 user_home_t:file entrypoint; - read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - files_list_home($2) - - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($2) - fs_read_nfs_files($2) - fs_read_nfs_symlinks($2) - fs_read_nfs_named_sockets($2) - fs_read_nfs_named_pipes($2) - ',` - fs_dontaudit_list_nfs($2) - fs_dontaudit_read_nfs_files($2) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_list_cifs($2) - fs_read_cifs_files($2) - fs_read_cifs_symlinks($2) - fs_read_cifs_named_sockets($2) - fs_read_cifs_named_pipes($2) - ',` - fs_dontaudit_list_cifs($2) - fs_dontaudit_read_cifs_files($2) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_ro_home_role'($*)) dnl - ') - - -####################################### -## -## Allow a home directory for which the -## role has full access. -## -## -##

-## Allow a home directory for which the -## role has full access. -##

-##

-## This does not allow execute access. -##

-## -## -## -## The user role -## -## -## -## -## The user domain -## -## -## -# - define(`userdom_manage_home_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_home_role'($*)) dnl - - gen_require(` - type user_home_t, user_home_dir_t, user_cert_t; - ') - - ############################## - # - # Domain access to home dir - # - - type_member $2 user_home_dir_t:dir user_home_dir_t; - - # full control of the home directory - allow $2 user_home_t:file entrypoint; - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) - files_list_home($2) - - # cjp: this should probably be removed: - allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; - - userdom_manage_user_certs($2) - userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") - - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs($2) - fs_manage_nfs_files($2) - fs_manage_nfs_symlinks($2) - fs_manage_nfs_named_sockets($2) - fs_manage_nfs_named_pipes($2) - ',` - fs_dontaudit_manage_nfs_dirs($2) - fs_dontaudit_manage_nfs_files($2) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs($2) - fs_manage_cifs_files($2) - fs_manage_cifs_symlinks($2) - fs_manage_cifs_named_sockets($2) - fs_manage_cifs_named_pipes($2) - ',` - fs_dontaudit_manage_cifs_dirs($2) - fs_dontaudit_manage_cifs_files($2) - ') - - ifdef(`distro_gentoo',` - - optional_policy(` - flash_manage_home($2) - flash_relabel_home($2) - ') - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_home_role'($*)) dnl - ') - - -####################################### -## -## Manage user temporary files -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -## -# - define(`userdom_manage_tmp_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_role'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - files_poly_member_tmp($2, user_tmp_t) - - manage_dirs_pattern($2, user_tmp_t, user_tmp_t) - manage_files_pattern($2, user_tmp_t, user_tmp_t) - manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) - manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) - manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) - files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) - userdom_user_runtime_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_role'($*)) dnl - ') - - -####################################### -## -## The execute access user temporary files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`userdom_exec_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_exec_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - exec_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_exec_user_tmp_files'($*)) dnl - ') - - -####################################### -## -## Role access for the user tmpfs type -## that the user has full access. -## -## -##

-## Role access for the user tmpfs type -## that the user has full access. -##

-##

-## This does not allow execute access. -##

-## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -## -# - define(`userdom_manage_tmpfs_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_tmpfs_role'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t) - fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_tmpfs_role'($*)) dnl - ') - - -####################################### -## -## The template allowing the user basic -## network permissions -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# - define(`userdom_basic_networking_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_basic_networking_template'($*)) dnl - - gen_require(` - type $1_t; - ') - - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) - corenet_udp_sendrecv_generic_node($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_all_client_packets($1_t) - - corenet_all_recvfrom_labeled($1_t, $1_t) - - optional_policy(` - init_tcp_recvfrom_all_daemons($1_t) - init_udp_recvfrom_all_daemons($1_t) - ') - - optional_policy(` - ipsec_match_default_spd($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_basic_networking_template'($*)) dnl - ') - - -####################################### -## -## The template for allowing the user to change passwords. -## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -## -# - define(`userdom_change_password_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_change_password_template'($*)) dnl - - gen_require(` - type $1_t; - role $1_r; - ') - - optional_policy(` - usermanage_run_chfn($1_t, $1_r) - usermanage_run_passwd($1_t, $1_r) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_change_password_template'($*)) dnl - ') - - -####################################### -## -## The template containing rules common to unprivileged -## users and administrative users. -## -## -##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, tmp, and tmpfs files. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# - define(`userdom_common_user_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_common_user_template'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - userdom_basic_networking_template($1) - - ############################## - # - # User domain Local policy - # - - # evolution and gnome-session try to create a netlink socket - dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - - # gnome-settings-daemon and some applications create a netlink socket - allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; - - allow $1_t unpriv_userdomain:fd use; - - kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_net_sysctls($1_t) - # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_t) - # Find CDROM devices: - kernel_read_device_sysctls($1_t) - - corecmd_exec_bin($1_t) - - corenet_udp_bind_generic_node($1_t) - corenet_udp_bind_generic_port($1_t) - - dev_read_rand($1_t) - dev_write_sound($1_t) - dev_read_sound($1_t) - dev_read_sound_mixer($1_t) - dev_write_sound_mixer($1_t) - dev_rw_wireless($1_t) - - files_exec_etc_files($1_t) - files_search_locks($1_t) - # List mounted filesystems (cdrom, FAT, NTFS and so on) - files_list_mnt($1_t) - # cjp: perhaps should cut back on file reads: - files_read_var_files($1_t) - files_read_var_symlinks($1_t) - files_read_generic_spool($1_t) - files_read_var_lib_files($1_t) - # Stat lost+found. - files_getattr_lost_found_dirs($1_t) - - fs_rw_cgroup_files($1_t) - - # cjp: some of this probably can be removed - selinux_get_fs_mount($1_t) - selinux_validate_context($1_t) - selinux_compute_access_vector($1_t) - selinux_compute_create_context($1_t) - selinux_compute_relabel_context($1_t) - selinux_compute_user_contexts($1_t) - - # for eject - storage_getattr_fixed_disk_dev($1_t) - - auth_use_nsswitch($1_t) - auth_read_login_records($1_t) - auth_search_pam_console_data($1_t) - auth_run_pam($1_t, $1_r) - auth_run_utempter($1_t, $1_r) - - init_read_utmp($1_t) - - seutil_read_file_contexts($1_t) - seutil_read_default_contexts($1_t) - seutil_run_newrole($1_t, $1_r) - seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_t) - # for when the network connection is killed - # this is needed when a login role can change - # to this one. - seutil_dontaudit_signal_newrole($1_t) - - ifndef(`enable_mls',` - tunable_policy(`user_write_removable',` - # Read/write floppies and other removable devices - storage_raw_read_removable_device($1_t) - storage_raw_write_removable_device($1_t) - ',` - # Read floppies - storage_raw_read_removable_device($1_t) - ') - ') - - tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) - ') - - tunable_policy(`user_rw_noexattrfile',` - fs_manage_noxattr_fs_dirs($1_t) - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_symlinks($1_t) - ',` - fs_read_noxattr_fs_files($1_t) - fs_read_noxattr_fs_symlinks($1_t) - ') - - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_ttys($1_t) - ') - - tunable_policy(`user_write_removable',` - # Read/write USB devices (e.g. external removable USB mass storage devices) - dev_rw_generic_usb_dev($1_t) - ',` - # Read USB devices (e.g. external removable USB mass storage devices) - dev_read_generic_usb_dev($1_t) - ') - - - optional_policy(` - alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") - alsa_manage_home_files($1_t) - alsa_read_config($1_t) - alsa_relabel_home_files($1_t) - ') - - optional_policy(` - # Allow graphical boot to check battery lifespan - acpi_stream_connect($1_t) - ') - - optional_policy(` - canna_stream_connect($1_t) - ') - - optional_policy(` - dbus_system_bus_client($1_t) - - optional_policy(` - accountsd_dbus_chat($1_t) - ') - - optional_policy(` - bluetooth_dbus_chat($1_t) - ') - - optional_policy(` - colord_dbus_chat($1_t) - ') - - optional_policy(` - consolekit_dbus_chat($1_t) - ') - - optional_policy(` - cups_dbus_chat_config($1_t) - ') - - optional_policy(` - devicekit_dbus_chat_disk($1_t) - devicekit_dbus_chat_power($1_t) - ') - - optional_policy(` - hal_dbus_chat($1_t) - ') - - optional_policy(` - networkmanager_dbus_chat($1_t) - ') - - optional_policy(` - policykit_dbus_chat($1_t) - ') - - optional_policy(` - rtkit_daemon_dbus_chat($1_t) - ') - - optional_policy(` - xserver_dbus_chat_xdm($1_t) - ') - ') - - optional_policy(` - dpkg_read_db($1_t) - ') - - optional_policy(` - gssproxy_stream_connect($1_t) - ') - - optional_policy(` - hwloc_exec_dhwd($1_t) - hwloc_read_runtime_files($1_t) - ') - - optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) - ') - - optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) - ') - - optional_policy(` - kerberos_manage_krb5_home_files($1_t) - kerberos_relabel_krb5_home_files($1_t) - kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") - ') - - optional_policy(` - locate_read_lib_files($1_t) - ') - - optional_policy(` - mpd_manage_user_data_content($1_t) - mpd_relabel_user_data_content($1_t) - ') - - # for running depmod as part of the kernel packaging process - optional_policy(` - modutils_read_module_config($1_t) - ') - - optional_policy(` - mta_rw_spool($1_t) - ') - - optional_policy(` - mysql_manage_mysqld_home_files($1_t) - mysql_relabel_mysqld_home_files($1_t) - mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") - - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) - ') - ') - - optional_policy(` - oident_manage_user_content($1_t) - oident_relabel_user_content($1_t) - oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf") - ') - - optional_policy(` - # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) - ') - - optional_policy(` - pcscd_read_pid_files($1_t) - pcscd_stream_connect($1_t) - ') - - optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) - ') - ') - - optional_policy(` - ppp_manage_home_files($1_t) - ppp_relabel_home_files($1_t) - ppp_home_filetrans_ppp_home($1_t, file, ".ppprc") - ') - - optional_policy(` - resmgr_stream_connect($1_t) - ') - - optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) - ') - - optional_policy(` - samba_stream_connect_winbind($1_t) - ') - - optional_policy(` - slrnpull_search_spool($1_t) - ') - - optional_policy(` - systemd_role_template($1, $1_r, $1_t) - ') - - optional_policy(` - usernetctl_run($1_t, $1_r) - ') - - optional_policy(` - virt_home_filetrans_virt_home($1_t, dir, ".libvirt") - virt_home_filetrans_virt_home($1_t, dir, ".virtinst") - virt_home_filetrans_virt_content($1_t, dir, "isos") - virt_home_filetrans_svirt_home($1_t, dir, "qemu") - virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") - ') - - ifdef(`distro_gentoo',` - domain_dontaudit_getsched_all_domains($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_common_user_template'($*)) dnl - ') - - -####################################### -## -## The template for creating a login user. -## -## -##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# - define(`userdom_login_user_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_login_user_template'($*)) dnl - - gen_require(` - class context contains; - ') - - userdom_base_user_template($1) - - userdom_manage_home_role($1_r, $1_t) - - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) - - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) - - userdom_map_user_tmpfs_files($1_t) - - userdom_change_password_template($1) - - ############################## - # - # User domain Local policy - # - - allow $1_t self:capability { chown fowner setgid }; - dontaudit $1_t self:capability { fsetid sys_nice }; - - allow $1_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; - dontaudit $1_t self:process setrlimit; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - - allow $1_t self:context contains; - - kernel_dontaudit_read_system_state($1_t) - - dev_read_sysfs($1_t) - dev_read_urand($1_t) - - domain_use_interactive_fds($1_t) - # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_t) - - files_dontaudit_list_default($1_t) - files_dontaudit_read_default_files($1_t) - # Stat lost+found. - files_getattr_lost_found_dirs($1_t) - - fs_get_all_fs_quotas($1_t) - fs_getattr_all_fs($1_t) - fs_getattr_all_dirs($1_t) - fs_search_auto_mountpoints($1_t) - fs_list_cgroup_dirs($1_t) - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_dontaudit_rw_cgroup_files($1_t) - - auth_dontaudit_write_login_records($1_t) - - application_exec_all($1_t) - - # The library functions always try to open read-write first, - # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_t) - # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_t) - init_dontaudit_use_script_fds($1_t) - - libs_exec_lib_files($1_t) - - logging_dontaudit_getattr_all_logs($1_t) - - miscfiles_read_man_pages($1_t) - # map is needed for man-dbs apropos program - miscfiles_map_man_cache($1_t) - miscfiles_read_public_files($1_t) - # for running TeX programs - miscfiles_read_tetex_data($1_t) - miscfiles_exec_tetex_data($1_t) - - seutil_read_config($1_t) - - optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) - ') - - optional_policy(` - kerberos_use($1_t) - ') - - optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) - ') - - optional_policy(` - quota_dontaudit_getattr_db($1_t) - ') - - optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_login_user_template'($*)) dnl - ') - - -####################################### -## -## The template for creating a unprivileged login user. -## -## -##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# - define(`userdom_restricted_user_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_restricted_user_template'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - userdom_login_user_template($1) - - typeattribute $1_t unpriv_userdomain; - domain_interactive_fd($1_t) - - ############################## - # - # Local policy - # - - optional_policy(` - loadkeys_run($1_t, $1_r) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_restricted_user_template'($*)) dnl - ') - - -####################################### -## -## The template for creating a unprivileged xwindows login user. -## -## -##

-## The template for creating a unprivileged xwindows login user. -##

-##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# - define(`userdom_restricted_xwindows_user_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_restricted_xwindows_user_template'($*)) dnl - - - userdom_restricted_user_template($1) - - ############################## - # - # Local policy - # - - auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) - - dev_read_sound($1_t) - dev_write_sound($1_t) - # gnome keyring wants to read this. - dev_dontaudit_read_rand($1_t) - - logging_send_syslog_msg($1_t) - logging_dontaudit_send_audit_msgs($1_t) - - # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) - selinux_get_enforce_mode($1_t) - - xserver_restricted_role($1_r, $1_t) - - optional_policy(` - alsa_read_config($1_t) - ') - - optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) - - optional_policy(` - consolekit_dbus_chat($1_t) - ') - - optional_policy(` - cups_dbus_chat($1_t) - ') - - optional_policy(` - gnome_role_template($1, $1_r, $1_t) - ') - - optional_policy(` - wm_role_template($1, $1_r, $1_t) - ') - ') - - optional_policy(` - java_role($1_r, $1_t) - ') - - optional_policy(` - pulseaudio_role($1_r, $1_t) - ') - - optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_restricted_xwindows_user_template'($*)) dnl - ') - - -####################################### -## -## The template for creating a unprivileged user roughly -## equivalent to a regular linux user. -## -## -##

-## The template for creating a unprivileged user roughly -## equivalent to a regular linux user. -##

-##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-## -## -## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -## -## -# - define(`userdom_unpriv_user_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_unpriv_user_template'($*)) dnl - - - ############################## - # - # Declarations - # - - # Inherit rules for ordinary users. - userdom_restricted_user_template($1) - userdom_common_user_template($1) - - ############################## - # - # Local policy - # - - # port access is audited even if dac would not have allowed it, so dontaudit it here - corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) - # Need the following rule to allow users to run vpnc - corenet_tcp_bind_xserver_port($1_t) - - files_exec_usr_files($1_t) - - miscfiles_manage_public_files($1_t) - - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` - kernel_dontaudit_read_ring_buffer($1_t) - ') - - tunable_policy(`user_exec_noexattrfile',` - fs_exec_noxattr($1_t) - ') - - # Allow users to run TCP servers (bind to ports and accept connection from - # the same domain and outside users) disabling this forces FTP passive mode - # and may change other protocols - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) - ') - - # Allow users to run UDP servers (bind to ports and accept connection from - # the same domain and outside users) - tunable_policy(`user_udp_server',` - corenet_udp_bind_generic_node($1_t) - corenet_udp_bind_generic_port($1_t) - ') - - optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) - ') - - # Run pppd in pppd_t by default for user - optional_policy(` - ppp_run_cond($1_t, $1_r) - ') - - optional_policy(` - setroubleshoot_stream_connect($1_t) - ') - - optional_policy(` - systemd_dbus_chat_logind($1_t) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_unpriv_user_template'($*)) dnl - ') - - -####################################### -## -## The template for creating an administrative user. -## -## -##

-## This template creates a user domain, types, and -## rules for the user's tty, pty, home directories, -## tmp, and tmpfs files. -##

-##

-## The privileges given to administrative users are: -##

    -##
  • Raw disk access
    • -##
  • Set all sysctls
    • -##
  • All kernel ring buffer controls
    • -##
  • Create, read, write, and delete all files but shadow
    • -##
  • Manage source and binary format SELinux policy
    • -##
  • Run insmod
    • -##
-##

-## -## -## -## The prefix of the user domain (e.g., sysadm -## is the prefix for sysadm_t). -## -## -# - define(`userdom_admin_user_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_admin_user_template'($*)) dnl - - gen_require(` - attribute admindomain; - class passwd { passwd chfn chsh rootok }; - ') - - ############################## - # - # Declarations - # - - # Inherit rules for ordinary users. - userdom_login_user_template($1) - userdom_common_user_template($1) - - domain_obj_id_change_exemption($1_t) - role system_r types $1_t; - - typeattribute $1_t admindomain; - - ifdef(`direct_sysadm_daemon',` - domain_system_change_exemption($1_t) - ') - - ############################## - # - # $1_t local policy - # - - allow $1_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease setfcap }; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; - allow $1_t self:tun_socket create; - # Set password information for other users. - allow $1_t self:passwd { passwd chfn chsh }; - # Skip authentication when pam_rootok is specified. - allow $1_t self:passwd rootok; - - kernel_read_software_raid_state($1_t) - kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) - kernel_change_ring_buffer_level($1_t) - kernel_clear_ring_buffer($1_t) - kernel_read_ring_buffer($1_t) - kernel_get_sysvipc_info($1_t) - kernel_rw_all_sysctls($1_t) - # signal unlabeled processes: - kernel_kill_unlabeled($1_t) - kernel_signal_unlabeled($1_t) - kernel_sigstop_unlabeled($1_t) - kernel_signull_unlabeled($1_t) - kernel_sigchld_unlabeled($1_t) - - corenet_tcp_bind_generic_port($1_t) - # allow setting up tunnels - corenet_rw_tun_tap_dev($1_t) - - dev_getattr_generic_blk_files($1_t) - dev_getattr_generic_chr_files($1_t) - # for lsof - dev_getattr_mtrr_dev($1_t) - # Allow MAKEDEV to work - dev_create_all_blk_files($1_t) - dev_create_all_chr_files($1_t) - dev_delete_all_blk_files($1_t) - dev_delete_all_chr_files($1_t) - dev_rename_all_blk_files($1_t) - dev_rename_all_chr_files($1_t) - dev_create_generic_symlinks($1_t) - - domain_setpriority_all_domains($1_t) - domain_read_all_domains_state($1_t) - domain_getattr_all_domains($1_t) - domain_dontaudit_ptrace_all_domains($1_t) - # signal all domains: - domain_kill_all_domains($1_t) - domain_signal_all_domains($1_t) - domain_signull_all_domains($1_t) - domain_sigstop_all_domains($1_t) - domain_sigstop_all_domains($1_t) - domain_sigchld_all_domains($1_t) - # for lsof - domain_getattr_all_sockets($1_t) - - files_exec_usr_src_files($1_t) - - fs_getattr_all_fs($1_t) - fs_set_all_quotas($1_t) - fs_exec_noxattr($1_t) - - storage_read_tape($1_t) - storage_write_tape($1_t) - storage_raw_read_removable_device($1_t) - storage_raw_write_removable_device($1_t) - - term_use_all_terms($1_t) - - auth_getattr_shadow($1_t) - # Manage almost all files - files_manage_non_auth_files($1_t) - files_map_non_auth_files($1_t) - # Relabel almost all files - files_relabel_non_auth_files($1_t) - - init_telinit($1_t) - - logging_send_syslog_msg($1_t) - - modutils_domtrans($1_t) - - # The following rule is temporary until such time that a complete - # policy management infrastructure is in place so that an administrator - # cannot directly manipulate policy files with arbitrary programs. - seutil_manage_src_policy($1_t) - # Violates the goal of limiting write access to checkpolicy. - # But presently necessary for installing the file_contexts file. - seutil_manage_bin_policy($1_t) - - userdom_manage_user_home_content_dirs($1_t) - userdom_manage_user_home_content_files($1_t) - userdom_manage_user_home_content_symlinks($1_t) - userdom_manage_user_home_content_pipes($1_t) - userdom_manage_user_home_content_sockets($1_t) - userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) - - optional_policy(` - postgresql_unconfined($1_t) - ') - - optional_policy(` - userhelper_exec($1_t) - ') - - ifdef(`distro_gentoo',` - # Grant block_suspend capability2 to administrators, this annoys the heck out of me - allow $1_t self:capability2 { block_suspend }; - # Allow admins to interact with kernel, for instance using lsusb command - allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; - # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise - seutil_relabelto_bin_policy($1_t) - # allow to manage chr_files in user_tmp (for initrd's) - userdom_manage_user_tmp_chr_files($1_t) - # allow managing tun/tap interfaces (labeling) - # without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy - allow $1_t self:tun_socket { relabelfrom relabelto }; - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_admin_user_template'($*)) dnl - ') - -') - -######################################## -## -## Allow user to run as a secadm -## -## -##

-## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -##

-##

-## This is a templated interface, and should only -## be called from a per-userdomain template. -##

-## -## -## -## Domain allowed access. -## -## -## -## -## The role of the object to create. -## -## -# - define(`userdom_security_admin_template',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_security_admin_template'($*)) dnl - - allow $1 self:capability { dac_override dac_read_search }; - - corecmd_exec_shell($1) - - domain_obj_id_change_exemption($1) - - dev_relabel_all_dev_nodes($1) - - files_create_boot_flag($1) - - # Necessary for managing /boot/efi - fs_manage_dos_files($1) - - mls_process_read_all_levels($1) - mls_file_read_all_levels($1) - mls_file_upgrade($1) - mls_file_downgrade($1) - - selinux_set_enforce_mode($1) - selinux_set_all_booleans($1) - selinux_set_parameters($1) - - files_relabel_non_auth_files($1) - auth_relabel_shadow($1) - - init_exec($1) - - logging_send_syslog_msg($1) - logging_read_audit_log($1) - logging_read_generic_logs($1) - logging_read_audit_config($1) - - seutil_manage_bin_policy($1) - seutil_run_checkpolicy($1, $2) - seutil_run_loadpolicy($1, $2) - seutil_run_semanage($1, $2) - seutil_run_setfiles($1, $2) - - optional_policy(` - aide_run($1, $2) - ') - - optional_policy(` - consoletype_exec($1) - ') - - optional_policy(` - dmesg_exec($1) - ') - - optional_policy(` - ipsec_run_setkey($1, $2) - ') - - optional_policy(` - netlabel_run_mgmt($1, $2) - ') - - optional_policy(` - samhain_run($1, $2) - ') - - ifdef(`distro_gentoo',` - # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise - seutil_relabelto_bin_policy($1) - ') - dnl - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_security_admin_template'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable as -## a user application domain type. -## -## -## -## Type to be used as a user application domain. -## -## -# - define(`userdom_user_application_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_application_type'($*)) dnl - - application_type($1) - ubac_constrained($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_application_type'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable as -## a user application domain. -## -## -## -## Type to be used as a user application domain. -## -## -## -## -## Type to be used as the domain entry point. -## -## -# - define(`userdom_user_application_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_application_domain'($*)) dnl - - application_domain($1, $2) - ubac_constrained($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_application_domain'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable in a -## user home directory. -## -## -## -## Type to be used as a file in the -## user home directory. -## -## -# - define(`userdom_user_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_home_content'($*)) dnl - - gen_require(` - attribute user_home_content_type; - type user_home_t; - ') - - typeattribute $1 user_home_content_type; - - allow $1 user_home_t:filesystem associate; - files_type($1) - files_poly_member($1) - ubac_constrained($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_home_content'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable as a -## user temporary file. -## -## -## -## Type to be used as a file in the -## temporary directories. -## -## -# - define(`userdom_user_tmp_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_file'($*)) dnl - - files_tmp_file($1) - ubac_constrained($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_tmp_file'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable as a -## user tmpfs file. -## -## -## -## Type to be used as a file in -## tmpfs directories. -## -## -# - define(`userdom_user_tmpfs_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_tmpfs_file'($*)) dnl - - files_tmpfs_file($1) - ubac_constrained($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_tmpfs_file'($*)) dnl - ') - - -######################################## -## -## Allow domain to attach to TUN devices created by administrative users. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_attach_admin_tun_iface',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_attach_admin_tun_iface'($*)) dnl - - gen_require(` - attribute admindomain; - ') - - allow $1 admindomain:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_attach_admin_tun_iface'($*)) dnl - ') - - -######################################## -## -## Set the attributes of a user pty. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_setattr_user_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_ptys'($*)) dnl - - gen_require(` - type user_devpts_t; - ') - - allow $1 user_devpts_t:chr_file setattr_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_setattr_user_ptys'($*)) dnl - ') - - -######################################## -## -## Create a user pty. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_create_user_pty',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_create_user_pty'($*)) dnl - - gen_require(` - type user_devpts_t; - ') - - term_create_pty($1, user_devpts_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_create_user_pty'($*)) dnl - ') - - -######################################## -## -## Get the attributes of user home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_getattr_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir getattr_dir_perms; - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_getattr_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of user home directories. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_getattr_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - dontaudit $1 user_home_dir_t:dir getattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## Search user home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_search_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_search_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_search_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search user home directories. -## -## -##

-## Do not audit attempts to search user home directories. -## This will suppress SELinux denial messages when the specified -## domain is denied the permission to search these directories. -##

-## -## -## -## Domain to not audit. -## -## -## -# - define(`userdom_dontaudit_search_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - dontaudit $1 user_home_dir_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## List user home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_list_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_list_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir list_dir_perms; - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_list_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list user home subdirectories. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_list_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - dontaudit $1 user_home_dir_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## Create user home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_create_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_create_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_create_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## Manage user home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to user home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_relabelto_user_home_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_home_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - allow $1 user_home_dir_t:dir relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_home_dirs'($*)) dnl - ') - - -######################################## -## -## Create directories in the home dir root with -## the user home directory type. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_home_filetrans_user_home_dir',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_home_filetrans_user_home_dir'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - files_home_filetrans($1, user_home_dir_t, dir, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_home_filetrans_user_home_dir'($*)) dnl - ') - - -######################################## -## -## Do a domain transition to the specified -## domain when executing a program in the -## user home directory. -## -## -##

-## Do a domain transition to the specified -## domain when executing a program in the -## user home directory. -##

-##

-## No interprocess communication (signals, pipes, -## etc.) is provided by this interface since -## the domains are not owned by this module. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Domain to transition to. -## -## -# - define(`userdom_user_home_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_home_domtrans'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - domain_auto_transition_pattern($1, user_home_t, $2) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_home_domtrans'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search user home content directories. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_search_user_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_home_content'($*)) dnl - - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_home_content'($*)) dnl - ') - - -######################################## -## -## List all users home content directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_list_all_user_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_list_all_user_home_content'($*)) dnl - - gen_require(` - attribute user_home_content_type; - ') - - userdom_search_user_home_dirs($1) - allow $1 user_home_content_type:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_list_all_user_home_content'($*)) dnl - ') - - -######################################## -## -## List contents of users home directory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_list_user_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_list_user_home_content'($*)) dnl - - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_list_user_home_content'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete directories -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_home_content_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_dirs'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_dirs'($*)) dnl - ') - - -######################################## -## -## Delete all user home content directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_all_user_home_content_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_dirs'($*)) dnl - - gen_require(` - attribute user_home_content_type; - type user_home_dir_t; - ') - - userdom_search_user_home_dirs($1) - delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_dirs'($*)) dnl - ') - - -######################################## -## -## Delete directories in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_home_content_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_dirs'($*)) dnl - - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:dir delete_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_dirs'($*)) dnl - ') - - -######################################## -## -## Set attributes of all user home content directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_setattr_all_user_home_content_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_setattr_all_user_home_content_dirs'($*)) dnl - - gen_require(` - attribute user_home_content_type; - ') - - userdom_search_user_home_dirs($1) - allow $1 user_home_content_type:dir setattr_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_setattr_all_user_home_content_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the -## attributes of user home files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_setattr_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file setattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Map user home files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_map_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_map_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_map_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Mmap user home files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_mmap_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_mmap_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_mmap_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Read user home files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_read_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read user home files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_read_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:dir list_dir_perms; - dontaudit $1 user_home_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Read all user home content, including application-specific resources. -## -## -## -## Domain allowed access -## -## -# - define(`userdom_read_all_user_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_all_user_home_content'($*)) dnl - - gen_require(` - attribute user_home_content_type; - ') - - list_dirs_pattern($1, user_home_content_type, user_home_content_type) - read_files_pattern($1, user_home_content_type, user_home_content_type) - read_lnk_files_pattern($1, user_home_content_type, user_home_content_type) - read_fifo_files_pattern($1, user_home_content_type, user_home_content_type) - read_sock_files_pattern($1, user_home_content_type, user_home_content_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_all_user_home_content'($*)) dnl - ') - - -######################################## -## -## Manage all user home content, including application-specific resources. -## -## -## -## Domain allowed access -## -## -# - define(`userdom_manage_all_user_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_home_content'($*)) dnl - - gen_require(` - attribute user_home_content_type; - ') - - manage_dirs_pattern($1, user_home_content_type, user_home_content_type) - manage_files_pattern($1, user_home_content_type, user_home_content_type) - manage_lnk_files_pattern($1, user_home_content_type, user_home_content_type) - manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type) - manage_sock_files_pattern($1, user_home_content_type, user_home_content_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_home_content'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to append user home files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_append_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write user home files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_write_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Delete all user home content files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_all_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_files'($*)) dnl - - gen_require(` - attribute user_home_content_type; - type user_home_dir_t; - ') - - userdom_search_user_home_content($1) - delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Delete files in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to relabel user home files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_relabel_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_relabel_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_relabel_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Read user home subdirectory symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_read_user_home_content_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_user_home_content_symlinks'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_user_home_content_symlinks'($*)) dnl - ') - - -######################################## -## -## Execute user home files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`userdom_exec_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_exec_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) - ') - - tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_exec_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to execute user home files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_exec_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_exec_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:file exec_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_exec_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete files -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_home_content_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_files'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - manage_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to create, read, write, and delete directories -## in a user home subdirectory. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_manage_user_home_content_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_home_content_dirs'($*)) dnl - - gen_require(` - type user_home_t; - ') - - dontaudit $1 user_home_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_home_content_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete symbolic links -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_home_content_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_symlinks'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - manage_lnk_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_symlinks'($*)) dnl - ') - - -######################################## -## -## Delete all user home content symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_all_user_home_content_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_symlinks'($*)) dnl - - gen_require(` - attribute user_home_content_type; - type user_home_dir_t; - ') - - userdom_search_user_home_dirs($1) - delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_symlinks'($*)) dnl - ') - - -######################################## -## -## Delete symbolic links in a user home directory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_home_content_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_symlinks'($*)) dnl - - gen_require(` - type user_home_t; - ') - - allow $1 user_home_t:lnk_file delete_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete named pipes -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_home_content_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_pipes'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - manage_fifo_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_pipes'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete named sockets -## in a user home subdirectory. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_home_content_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_sockets'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - allow $1 user_home_dir_t:dir search_dir_perms; - manage_sock_files_pattern($1, user_home_t, user_home_t) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_sockets'($*)) dnl - ') - - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_user_home_dir_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans'($*)) dnl - - gen_require(` - type user_home_dir_t; - ') - - filetrans_pattern($1, user_home_dir_t, $2, $3, $4) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in a directory located -## in a user home directory with an -## automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_user_home_content_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_home_content_filetrans'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - filetrans_pattern($1, user_home_t, $2, $3, $4) - allow $1 user_home_dir_t:dir search_dir_perms; - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_home_content_filetrans'($*)) dnl - ') - - -######################################## -## -## Automatically use the user_cert_t label for selected resources -## created in a users home directory -## -## -## -## Domain allowed access -## -## -## -## -## Resource type(s) for which the label should be used -## -## -## -## -## Name of the resource that is being created -## -## -# - define(`userdom_user_home_dir_filetrans_user_cert',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans_user_cert'($*)) dnl - - gen_require(` - type user_cert_t; - ') - - userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans_user_cert'($*)) dnl - ') - - -######################################## -## -## Create objects in a user home directory -## with an automatic type transition to -## the user home file type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_user_home_dir_filetrans_user_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans_user_home_content'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - filetrans_pattern($1, user_home_dir_t, user_home_t, $2, $3) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans_user_home_content'($*)) dnl - ') - - -######################################## -## -## Read user SSL certificates. -## -## -## -## Domain allowed access. -## -## -## -# - define(`userdom_read_user_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_user_certs'($*)) dnl - - gen_require(` - type user_cert_t; - ') - - allow $1 user_cert_t:dir list_dir_perms; - read_files_pattern($1, user_cert_t, user_cert_t) - read_lnk_files_pattern($1, user_cert_t, user_cert_t) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_user_certs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to manage -## the user SSL certificates. -## -## -## -## Domain allowed access. -## -## -## -# - define(`userdom_dontaudit_manage_user_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_certs'($*)) dnl - - gen_require(` - type user_cert_t; - ') - - dontaudit $1 user_cert_t:dir manage_dir_perms; - dontaudit $1 user_cert_t:file manage_file_perms; - dontaudit $1 user_cert_t:lnk_file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_certs'($*)) dnl - ') - - -######################################## -## -## Manage user SSL certificates. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_certs'($*)) dnl - - gen_require(` - type user_cert_t; - ') - - manage_dirs_pattern($1, user_cert_t, user_cert_t) - manage_files_pattern($1, user_cert_t, user_cert_t) - manage_lnk_files_pattern($1, user_cert_t, user_cert_t) - files_search_home($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_certs'($*)) dnl - ') - - -######################################## -## -## Write to user temporary named sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_write_user_tmp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_sockets'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:sock_file write_sock_file_perms; - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_sockets'($*)) dnl - ') - - -######################################## -## -## List user temporary directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_list_user_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_list_user_tmp'($*)) dnl - - gen_require(` - type user_tmp_t, user_runtime_t; - ') - - allow $1 user_tmp_t:dir list_dir_perms; - allow $1 user_runtime_t:dir list_dir_perms; - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_list_user_tmp'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to list user -## temporary directories. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_list_user_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_tmp'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_tmp'($*)) dnl - ') - - -######################################## -## -## Delete users temporary directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmp_dirs'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - delete_dirs_pattern($1, user_tmp_t, user_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to manage users -## temporary directories. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_manage_user_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_tmp_dirs'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Read user temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_read_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - read_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Map user temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_map_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_map_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_map_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read users -## temporary files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_read_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to append users -## temporary files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_append_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read and write user temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_rw_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:dir list_dir_perms; - rw_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Delete users temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - delete_files_pattern($1, user_tmp_t, user_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to manage users -## temporary files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_manage_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Read user temporary symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_read_user_tmp_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_symlinks'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_symlinks'($*)) dnl - ') - - -######################################## -## -## Delete users temporary symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_tmp_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmp_symlinks'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - delete_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmp_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete user -## temporary directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_tmp_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_dirs'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - manage_dirs_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_dirs'($*)) dnl - ') - - -######################################## -## -## Delete users temporary named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_tmp_named_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmp_named_pipes'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - delete_fifo_files_pattern($1, user_tmp_t, user_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmp_named_pipes'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete user -## temporary files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - manage_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Delete users temporary named sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_tmp_named_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmp_named_sockets'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - delete_sock_files_pattern($1, user_tmp_t, user_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmp_named_sockets'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete user -## temporary symbolic links. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_tmp_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_symlinks'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete user -## temporary named pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_tmp_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_pipes'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_pipes'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete user -## temporary named sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_tmp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_sockets'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_sockets'($*)) dnl - ') - - -######################################## -## -## Create objects in a user temporary directory -## with an automatic type transition to -## a specified private type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_user_tmp_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_filetrans'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - filetrans_pattern($1, user_tmp_t, $2, $3, $4) - files_search_tmp($1) - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_tmp_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in the temporary directory -## with an automatic type transition to -## the user temporary type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_tmp_filetrans_user_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_tmp_filetrans_user_tmp'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - files_tmp_filetrans($1, user_tmp_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_tmp_filetrans_user_tmp'($*)) dnl - ') - - -######################################## -## -## Map user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_map_user_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_map_user_tmpfs_files'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - allow $1 user_tmpfs_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_map_user_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Read user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_read_user_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmpfs_files'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_user_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## dontaudit Read attempts of user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_dontaudit_read_user_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_tmpfs_files'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - dontaudit $1 user_tmpfs_t:file read_file_perms; - dontaudit $1 user_tmpfs_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## relabel to/from user tmpfs dirs -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_relabel_user_tmpfs_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_tmpfs_dirs'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom }; - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_relabel_user_tmpfs_dirs'($*)) dnl - ') - - -######################################## -## -## relabel to/from user tmpfs files -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_relabel_user_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_tmpfs_files'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - allow $1 user_tmpfs_t:dir list_dir_perms; - allow $1 user_tmpfs_t:file { relabelto relabelfrom }; - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_relabel_user_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable in -## the directory /run/user/%{USERID}/. -## -## -## -## Type to be used as a file in the -## user_runtime_content_dir_t. -## -## -# - define(`userdom_user_runtime_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_runtime_content'($*)) dnl - - gen_require(` - attribute user_runtime_content_type; - ') - - typeattribute $1 user_runtime_content_type; - files_type($1) - ubac_constrained($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_runtime_content'($*)) dnl - ') - - -######################################## -## -## Search users runtime directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_search_user_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_search_user_runtime'($*)) dnl - - gen_require(` - type user_runtime_t; - ') - - allow $1 user_runtime_t:dir search_dir_perms; - userdom_search_user_runtime_root($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_search_user_runtime'($*)) dnl - ') - - -######################################## -## -## Search user runtime root directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_search_user_runtime_root',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_search_user_runtime_root'($*)) dnl - - gen_require(` - type user_runtime_root_t; - ') - - allow $1 user_runtime_root_t:dir search_dir_perms; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_search_user_runtime_root'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete user -## runtime root dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_runtime_root_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_runtime_root_dirs'($*)) dnl - - gen_require(` - type user_runtime_root_t; - ') - - allow $1 user_runtime_root_t:dir manage_dir_perms; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_runtime_root_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to and from user runtime root dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_relabel_user_runtime_root_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_runtime_root_dirs'($*)) dnl - - gen_require(` - type user_runtime_root_t; - ') - - allow $1 user_runtime_root_t:dir { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_relabel_user_runtime_root_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete user -## runtime dirs. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_runtime_dirs'($*)) dnl - - gen_require(` - type user_runtime_t; - ') - - allow $1 user_runtime_t:dir manage_dir_perms; - userdom_search_user_runtime_root($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Mount a filesystem on user runtime dir -## directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_mounton_user_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_mounton_user_runtime_dirs'($*)) dnl - - gen_require(` - type user_runtime_t; - ') - - allow $1 user_runtime_t:dir mounton; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_mounton_user_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel to user runtime directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_relabelto_user_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_runtime_dirs'($*)) dnl - - gen_require(` - type user_runtime_t; - ') - - allow $1 user_runtime_t:dir relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel from user runtime directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_relabelfrom_user_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_relabelfrom_user_runtime_dirs'($*)) dnl - - gen_require(` - type user_runtime_t; - ') - - allow $1 user_runtime_t:dir relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_relabelfrom_user_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## delete user runtime files -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_runtime_files'($*)) dnl - - gen_require(` - type user_runtime_t; - ') - - allow $1 user_runtime_t:dir list_dir_perms; - allow $1 user_runtime_t:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_runtime_files'($*)) dnl - ') - - -######################################## -## -## Search users runtime directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_search_all_user_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_search_all_user_runtime'($*)) dnl - - gen_require(` - attribute user_runtime_content_type; - ') - - allow $1 user_runtime_content_type:dir search_dir_perms; - userdom_search_user_runtime_root($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_search_all_user_runtime'($*)) dnl - ') - - -######################################## -## -## List user runtime directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_list_all_user_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_list_all_user_runtime'($*)) dnl - - gen_require(` - attribute user_runtime_content_type; - ') - - allow $1 user_runtime_content_type:dir list_dir_perms; - userdom_search_user_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_list_all_user_runtime'($*)) dnl - ') - - -######################################## -## -## delete user runtime directories -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_all_user_runtime_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_runtime_dirs'($*)) dnl - - gen_require(` - attribute user_runtime_content_type; - ') - - allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_runtime_dirs'($*)) dnl - ') - - -######################################## -## -## delete user runtime files -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_all_user_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_runtime_files'($*)) dnl - - gen_require(` - attribute user_runtime_content_type; - ') - - allow $1 user_runtime_content_type:dir list_dir_perms; - allow $1 user_runtime_content_type:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_runtime_files'($*)) dnl - ') - - -######################################## -## -## delete user runtime symlink files -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_all_user_runtime_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_runtime_symlinks'($*)) dnl - - gen_require(` - attribute user_runtime_content_type; - ') - - allow $1 user_runtime_content_type:dir list_dir_perms; - allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_runtime_symlinks'($*)) dnl - ') - - -######################################## -## -## delete user runtime fifo files -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_all_user_runtime_named_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_runtime_named_pipes'($*)) dnl - - gen_require(` - attribute user_runtime_content_type; - ') - - allow $1 user_runtime_content_type:dir list_dir_perms; - allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_runtime_named_pipes'($*)) dnl - ') - - -######################################## -## -## delete user runtime socket files -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_all_user_runtime_named_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_runtime_named_sockets'($*)) dnl - - gen_require(` - attribute user_runtime_content_type; - ') - - allow $1 user_runtime_content_type:dir list_dir_perms; - allow $1 user_runtime_content_type:file delete_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_runtime_named_sockets'($*)) dnl - ') - - -######################################## -## -## Create objects in the pid directory -## with an automatic type transition to -## the user runtime root type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_pid_filetrans_user_runtime_root',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_pid_filetrans_user_runtime_root'($*)) dnl - - gen_require(` - type user_runtime_root_t; - ') - - files_pid_filetrans($1, user_runtime_root_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_pid_filetrans_user_runtime_root'($*)) dnl - ') - - -######################################## -## -## Create objects in a user runtime -## directory with an automatic type -## transition to a specified private -## type. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to create. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_user_runtime_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_runtime_filetrans'($*)) dnl - - gen_require(` - type user_runtime_t; - ') - - filetrans_pattern($1, user_runtime_t, $2, $3, $4) - userdom_search_user_runtime_root($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_runtime_filetrans'($*)) dnl - ') - - -######################################## -## -## Create objects in the user runtime directory -## with an automatic type transition to -## the user temporary type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_user_runtime_filetrans_user_tmp',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_runtime_filetrans_user_tmp'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - userdom_user_runtime_filetrans($1, user_tmp_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_runtime_filetrans_user_tmp'($*)) dnl - ') - - -######################################## -## -## Create objects in the user runtime root -## directory with an automatic type transition -## to the user runtime dir type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_user_runtime_root_filetrans_user_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_runtime_root_filetrans_user_runtime'($*)) dnl - - gen_require(` - type user_runtime_root_t, user_runtime_t; - ') - - filetrans_pattern($1, user_runtime_root_t, user_runtime_t, $2, $3) - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_runtime_root_filetrans_user_runtime'($*)) dnl - ') - - -######################################## -## -## Create objects in the user runtime root -## directory with an automatic type transition -## to the user runtime dir type. -## -## -## -## Domain allowed access. -## -## -## -## -## The class of the object to be created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`userdom_user_run_filetrans_user_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_user_run_filetrans_user_runtime'($*)) dnl - - gen_require(` - type user_runtime_t; - ') - - fs_tmpfs_filetrans($1, user_runtime_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_user_run_filetrans_user_runtime'($*)) dnl - ') - - -######################################## -## -## Read and write user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_rw_user_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmpfs_files'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Delete user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_delete_user_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmpfs_files'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete user tmpfs files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_tmpfs_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmpfs_files'($*)) dnl - - gen_require(` - type user_tmpfs_t; - ') - - manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmpfs_files'($*)) dnl - ') - - -######################################## -## -## Get the attributes of a user domain tty. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_getattr_user_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_ttys'($*)) dnl - - gen_require(` - type user_tty_device_t; - ') - - allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_getattr_user_ttys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes of a user domain tty. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_getattr_user_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_user_ttys'($*)) dnl - - gen_require(` - type user_tty_device_t; - ') - - dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_user_ttys'($*)) dnl - ') - - -######################################## -## -## Set the attributes of a user domain tty. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_setattr_user_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_ttys'($*)) dnl - - gen_require(` - type user_tty_device_t; - ') - - allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_setattr_user_ttys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes of a user domain tty. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_setattr_user_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_ttys'($*)) dnl - - gen_require(` - type user_tty_device_t; - ') - - dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_ttys'($*)) dnl - ') - - -######################################## -## -## Read and write a user domain tty. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_use_user_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_use_user_ttys'($*)) dnl - - gen_require(` - type user_tty_device_t; - ') - - allow $1 user_tty_device_t:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_use_user_ttys'($*)) dnl - ') - - -######################################## -## -## Read and write a user domain pty. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_use_user_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_use_user_ptys'($*)) dnl - - gen_require(` - type user_devpts_t; - ') - - term_list_ptys($1) - allow $1 user_devpts_t:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_use_user_ptys'($*)) dnl - ') - - -######################################## -## -## Read and write a user TTYs and PTYs. -## -## -##

-## Allow the specified domain to read and write user -## TTYs and PTYs. This will allow the domain to -## interact with the user via the terminal. Typically -## all interactive applications will require this -## access. -##

-##

-## However, this also allows the applications to spy -## on user sessions or inject information into the -## user session. Thus, this access should likely -## not be allowed for non-interactive domains. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`userdom_use_inherited_user_terminals',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_use_inherited_user_terminals'($*)) dnl - - gen_require(` - type user_devpts_t, user_tty_device_t; - ') - - term_list_ptys($1) - allow $1 { user_devpts_t user_tty_device_t }:chr_file rw_inherited_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_use_inherited_user_terminals'($*)) dnl - ') - - -######################################## -## -## Read, write and open a user TTYs and PTYs. -## -## -##

-## Allow the specified domain to read and write user -## TTYs and PTYs. This will allow the domain to -## interact with the user via the terminal. Typically -## all interactive applications will require this -## access. -##

-##

-## This interface will also allow to open these user -## terminals, which should not be necessary in general -## and userdom_use_inherited_user_terminals() should -## be sufficient. -##

-##

-## However, this also allows the applications to spy -## on user sessions or inject information into the -## user session. Thus, this access should likely -## not be allowed for non-interactive domains. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`userdom_use_user_terminals',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_use_user_terminals'($*)) dnl - - userdom_use_user_ptys($1) - userdom_use_user_ttys($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_use_user_terminals'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## a user domain tty and pty. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_use_user_terminals',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_terminals'($*)) dnl - - gen_require(` - type user_tty_device_t, user_devpts_t; - ') - - dontaudit $1 user_tty_device_t:chr_file rw_term_perms; - dontaudit $1 user_devpts_t:chr_file rw_term_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_terminals'($*)) dnl - ') - - -######################################## -## -## Execute a shell in all user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# - define(`userdom_spec_domtrans_all_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_spec_domtrans_all_users'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - corecmd_shell_spec_domtrans($1, userdomain) - allow userdomain $1:fd use; - allow userdomain $1:fifo_file rw_file_perms; - allow userdomain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_spec_domtrans_all_users'($*)) dnl - ') - - -######################################## -## -## Execute an Xserver session in all user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# - define(`userdom_xsession_spec_domtrans_all_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_xsession_spec_domtrans_all_users'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - xserver_xsession_spec_domtrans($1, userdomain) - allow userdomain $1:fd use; - allow userdomain $1:fifo_file rw_file_perms; - allow userdomain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_xsession_spec_domtrans_all_users'($*)) dnl - ') - - -######################################## -## -## Execute a shell in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# - define(`userdom_spec_domtrans_unpriv_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_spec_domtrans_unpriv_users'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - corecmd_shell_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_spec_domtrans_unpriv_users'($*)) dnl - ') - - -######################################## -## -## Execute an Xserver session in all unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# - define(`userdom_xsession_spec_domtrans_unpriv_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_xsession_spec_domtrans_unpriv_users'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - xserver_xsession_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_xsession_spec_domtrans_unpriv_users'($*)) dnl - ') - - -####################################### -## -## Read and write unpriviledged user SysV sempaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_rw_unpriv_user_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_rw_unpriv_user_semaphores'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:sem rw_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_rw_unpriv_user_semaphores'($*)) dnl - ') - - -######################################## -## -## Manage unpriviledged user SysV sempaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_unpriv_user_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_user_semaphores'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:sem create_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_user_semaphores'($*)) dnl - ') - - -####################################### -## -## Read and write unpriviledged user SysV shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_rw_unpriv_user_shared_mem',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_rw_unpriv_user_shared_mem'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:shm rw_shm_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_rw_unpriv_user_shared_mem'($*)) dnl - ') - - -######################################## -## -## Manage unpriviledged user SysV shared -## memory segments. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_unpriv_user_shared_mem',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_user_shared_mem'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:shm create_shm_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_user_shared_mem'($*)) dnl - ') - - -######################################## -## -## Execute bin_t in the unprivileged user domains. This -## is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed to transition. -## -## -# - define(`userdom_bin_spec_domtrans_unpriv_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_bin_spec_domtrans_unpriv_users'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - corecmd_bin_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_bin_spec_domtrans_unpriv_users'($*)) dnl - ') - - -######################################## -## -## Execute all entrypoint files in unprivileged user -## domains. This is an explicit transition, requiring the -## caller to use setexeccon(). -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_entry_spec_domtrans_unpriv_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_entry_spec_domtrans_unpriv_users'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - domain_entry_file_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; - allow unpriv_userdomain $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_entry_spec_domtrans_unpriv_users'($*)) dnl - ') - - -######################################## -## -## Search users home directories. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_search_user_home_content',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_search_user_home_content'($*)) dnl - - gen_require(` - type user_home_dir_t, user_home_t; - ') - - files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_search_user_home_content'($*)) dnl - ') - - -######################################## -## -## Send signull to unprivileged user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_signull_unpriv_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_signull_unpriv_users'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_signull_unpriv_users'($*)) dnl - ') - - -######################################## -## -## Send general signals to unprivileged user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_signal_unpriv_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_signal_unpriv_users'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_signal_unpriv_users'($*)) dnl - ') - - -######################################## -## -## Inherit the file descriptors from unprivileged user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_use_unpriv_users_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_use_unpriv_users_fds'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - allow $1 unpriv_userdomain:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_use_unpriv_users_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit the file descriptors -## from unprivileged user domains. -## -## -##

-## Do not audit attempts to inherit the file descriptors -## from unprivileged user domains. This will suppress -## SELinux denial messages when the specified domain is denied -## the permission to inherit these file descriptors. -##

-## -## -## -## Domain to not audit. -## -## -## -# - define(`userdom_dontaudit_use_unpriv_user_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_unpriv_user_fds'($*)) dnl - - gen_require(` - attribute unpriv_userdomain; - ') - - dontaudit $1 unpriv_userdomain:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_unpriv_user_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use user ptys. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_use_user_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_ptys'($*)) dnl - - gen_require(` - type user_devpts_t; - ') - - dontaudit $1 user_devpts_t:chr_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_ptys'($*)) dnl - ') - - -######################################## -## -## Relabel files to unprivileged user pty types. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_relabelto_user_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_ptys'($*)) dnl - - gen_require(` - type user_devpts_t; - ') - - allow $1 user_devpts_t:chr_file relabelto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_ptys'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to relabel files from -## user pty types. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_relabelfrom_user_ptys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_relabelfrom_user_ptys'($*)) dnl - - gen_require(` - type user_devpts_t; - ') - - dontaudit $1 user_devpts_t:chr_file relabelfrom; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_relabelfrom_user_ptys'($*)) dnl - ') - - -######################################## -## -## Write all users files in /tmp -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_write_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - allow $1 user_tmp_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write users -## temporary files. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_write_user_tmp_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_user_tmp_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - dontaudit $1 user_tmp_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_user_tmp_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use user ttys. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_use_user_ttys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_ttys'($*)) dnl - - gen_require(` - type user_tty_device_t; - ') - - dontaudit $1 user_tty_device_t:chr_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_ttys'($*)) dnl - ') - - -######################################## -## -## Read the process state of all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_read_all_users_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_state'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - read_files_pattern($1, userdomain, userdomain) - kernel_search_proc($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_all_users_state'($*)) dnl - ') - - -######################################## -## -## Get the attributes of all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_getattr_all_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_getattr_all_users'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:process getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_getattr_all_users'($*)) dnl - ') - - -######################################## -## -## Inherit the file descriptors from all user domains -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_use_all_users_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_use_all_users_fds'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_use_all_users_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit the file -## descriptors from any user domains. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_use_all_users_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_all_users_fds'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - dontaudit $1 userdomain:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_all_users_fds'($*)) dnl - ') - - -######################################## -## -## Send general signals to all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_signal_all_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_signal_all_users'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_signal_all_users'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_sigchld_all_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_sigchld_all_users'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_sigchld_all_users'($*)) dnl - ') - - -######################################## -## -## Read keys for all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_read_all_users_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_keys'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:key read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_read_all_users_keys'($*)) dnl - ') - - -######################################## -## -## Write keys for all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_write_all_users_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_write_all_users_keys'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:key write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_write_all_users_keys'($*)) dnl - ') - - -######################################## -## -## Read and write keys for all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_rw_all_users_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_rw_all_users_keys'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:key { read view write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_rw_all_users_keys'($*)) dnl - ') - - -######################################## -## -## Create keys for all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_create_all_users_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_create_all_users_keys'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:key create; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_create_all_users_keys'($*)) dnl - ') - - -######################################## -## -## Manage keys for all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_all_users_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_all_users_keys'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - allow $1 userdomain:key manage_key_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_all_users_keys'($*)) dnl - ') - - -######################################## -## -## Send a dbus message to all user domains. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_dbus_send_all_users',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dbus_send_all_users'($*)) dnl - - gen_require(` - attribute userdomain; - class dbus send_msg; - ') - - allow $1 userdomain:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dbus_send_all_users'($*)) dnl - ') - - -# Gentoo added stuff, but cannot use an ifdef distro_gentoo for this - -######################################## -## -## Create, read, write, and delete user -## temporary character files. -## -## -## -## Domain allowed access. -## -## -# - define(`userdom_manage_user_tmp_chr_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_chr_files'($*)) dnl - - gen_require(` - type user_tmp_t; - ') - - manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) - userdom_search_user_runtime($1) - files_search_tmp($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_chr_files'($*)) dnl - ') - - -######################################## -## -## Allow relabeling resources to user_cert_t -## -## -## -## Domain allowed access -## -## -# - - define(`userdom_relabel_user_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_certs'($*)) dnl - - gen_require(` - type user_cert_t; - ') - - relabel_dirs_pattern($1, user_cert_t, user_cert_t) - relabel_files_pattern($1, user_cert_t, user_cert_t) - relabel_lnk_files_pattern($1, user_cert_t, user_cert_t) - relabel_sock_files_pattern($1, user_cert_t, user_cert_t) - relabel_fifo_files_pattern($1, user_cert_t, user_cert_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_relabel_user_certs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## unserdomain stream. -## -## -## -## Domain to not audit. -## -## -# - define(`userdom_dontaudit_rw_all_users_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_rw_all_users_stream_sockets'($*)) dnl - - gen_require(` - attribute userdomain; - ') - - dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `userdom_dontaudit_rw_all_users_stream_sockets'($*)) dnl - ') - -## Policy for tmpfiles, a boot-time temporary file handler - -######################################## -## -## Read resources in /run/tmpfiles.d/. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tmpfiles_read_runtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpfiles_read_runtime'($*)) dnl - - gen_require(` - type tmpfiles_runtime_t; - ') - - files_search_pids($1) - allow $1 tmpfiles_runtime_t:dir list_dir_perms; - allow $1 tmpfiles_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpfiles_read_runtime'($*)) dnl - ') - - -######################################## -## -## Create files in /run/tmpfiles.d/. -## -## -## -## Domain allowed access. -## -## -# - define(`tmpfiles_create_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpfiles_create_runtime_files'($*)) dnl - - gen_require(` - type tmpfiles_runtime_t; - ') - - create_files_pattern($1, tmpfiles_runtime_t, tmpfiles_runtime_t) - - tmpfiles_read_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpfiles_create_runtime_files'($*)) dnl - ') - - -######################################## -## -## Write to files in /run/tmpfiles.d/. -## -## -## -## Domain allowed access. -## -## -# - define(`tmpfiles_write_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpfiles_write_runtime_files'($*)) dnl - - gen_require(` - type tmpfiles_runtime_t; - ') - - write_files_pattern($1, tmpfiles_runtime_t, tmpfiles_runtime_t) - - tmpfiles_read_runtime($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpfiles_write_runtime_files'($*)) dnl - ') - - -######################################## -## -## Manage files in /run/tmpfiles.d/. -## -## -## -## Domain allowed access. -## -## -# - define(`tmpfiles_manage_runtime_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpfiles_manage_runtime_files'($*)) dnl - - gen_require(` - type tmpfiles_runtime_t; - ') - - tmpfiles_read_runtime($1) - - manage_files_pattern($1, tmpfiles_runtime_t, tmpfiles_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpfiles_manage_runtime_files'($*)) dnl - ') - - -######################################## -## -## Read files in /etc/tmpfiles.d/. -## -## -## -## Domain allowed to transition. -## -## -# - define(`tmpfiles_read_conf',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpfiles_read_conf'($*)) dnl - - gen_require(` - type tmpfiles_conf_t; - ') - - files_search_etc($1) - allow $1 tmpfiles_conf_t:dir list_dir_perms; - allow $1 tmpfiles_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpfiles_read_conf'($*)) dnl - ') - - -######################################## -## -## Create files in /etc/tmpfiles.d/. -## -## -## -## Domain allowed access. -## -## -# - define(`tmpfiles_create_conf_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpfiles_create_conf_files'($*)) dnl - - gen_require(` - type tmpfiles_conf_t; - ') - - create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) - - tmpfiles_read_conf($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpfiles_create_conf_files'($*)) dnl - ') - - -######################################## -## -## Write to files in /etc/tmpfiles.d/. -## -## -## -## Domain allowed access. -## -## -# - define(`tmpfiles_write_conf_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpfiles_write_conf_files'($*)) dnl - - gen_require(` - type tmpfiles_conf_t; - ') - - write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) - - tmpfiles_read_conf($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpfiles_write_conf_files'($*)) dnl - ') - - -######################################## -## -## Manage files in /etc/tmpfiles.d/. -## -## -## -## Domain allowed access. -## -## -# - define(`tmpfiles_manage_conf_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `tmpfiles_manage_conf_files'($*)) dnl - - gen_require(` - type tmpfiles_conf_t; - ') - - manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t) - - tmpfiles_read_conf($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `tmpfiles_manage_conf_files'($*)) dnl - ') - -## Policy for network configuration: ifconfig and dhcp client. - -####################################### -## -## Execute dhcp client in dhcpc domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sysnet_domtrans_dhcpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_domtrans_dhcpc'($*)) dnl - - gen_require(` - type dhcpc_t, dhcpc_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, dhcpc_exec_t, dhcpc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_domtrans_dhcpc'($*)) dnl - ') - - -######################################## -## -## Execute DHCP clients in the dhcpc domain, and -## allow the specified role the dhcpc domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sysnet_run_dhcpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_run_dhcpc'($*)) dnl - - gen_require(` - attribute_role dhcpc_roles; - ') - - sysnet_domtrans_dhcpc($1) - roleattribute $2 dhcpc_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_run_dhcpc'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and -## write dhcpc udp socket descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`sysnet_dontaudit_rw_dhcpc_udp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_rw_dhcpc_udp_sockets'($*)) dnl - - gen_require(` - type dhcpc_t; - ') - - dontaudit $1 dhcpc_t:udp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_rw_dhcpc_udp_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to use -## the dhcp file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`sysnet_dontaudit_use_dhcpc_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_use_dhcpc_fds'($*)) dnl - - gen_require(` - type dhcpc_t; - ') - - dontaudit $1 dhcpc_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_use_dhcpc_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read/write to the -## dhcp unix stream socket descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_rw_dhcpc_unix_stream_sockets'($*)) dnl - - gen_require(` - type dhcpc_t; - ') - - dontaudit $1 dhcpc_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_rw_dhcpc_unix_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_sigchld_dhcpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_sigchld_dhcpc'($*)) dnl - - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_sigchld_dhcpc'($*)) dnl - ') - - -######################################## -## -## Send a kill signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sysnet_kill_dhcpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_kill_dhcpc'($*)) dnl - - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_kill_dhcpc'($*)) dnl - ') - - -######################################## -## -## Send a SIGSTOP signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_sigstop_dhcpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_sigstop_dhcpc'($*)) dnl - - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process sigstop; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_sigstop_dhcpc'($*)) dnl - ') - - -######################################## -## -## Send a null signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_signull_dhcpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_signull_dhcpc'($*)) dnl - - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_signull_dhcpc'($*)) dnl - ') - - -######################################## -## -## Send a generic signal to the dhcp client. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sysnet_signal_dhcpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_signal_dhcpc'($*)) dnl - - gen_require(` - type dhcpc_t; - ') - - allow $1 dhcpc_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_signal_dhcpc'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## dhcpc over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_dbus_chat_dhcpc',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_dbus_chat_dhcpc'($*)) dnl - - gen_require(` - type dhcpc_t; - class dbus send_msg; - ') - - allow $1 dhcpc_t:dbus send_msg; - allow dhcpc_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_dbus_chat_dhcpc'($*)) dnl - ') - - -######################################## -## -## Read and write dhcp configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_rw_dhcp_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_rw_dhcp_config'($*)) dnl - - gen_require(` - type dhcp_etc_t; - ') - - files_search_etc($1) - allow $1 dhcp_etc_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_rw_dhcp_config'($*)) dnl - ') - - -######################################## -## -## Search the DHCP client state -## directories. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_search_dhcpc_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_search_dhcpc_state'($*)) dnl - - gen_require(` - type dhcpc_state_t; - ') - - files_search_var_lib($1) - allow $1 dhcpc_state_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_search_dhcpc_state'($*)) dnl - ') - - -######################################## -## -## Read dhcp client state files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_read_dhcpc_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcpc_state'($*)) dnl - - gen_require(` - type dhcpc_state_t; - ') - - read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_read_dhcpc_state'($*)) dnl - ') - - -####################################### -## -## Delete the dhcp client state files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_delete_dhcpc_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_delete_dhcpc_state'($*)) dnl - - gen_require(` - type dhcpc_state_t; - ') - - delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_delete_dhcpc_state'($*)) dnl - ') - - -####################################### -## -## Set the attributes of network config files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_setattr_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_setattr_config'($*)) dnl - - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file setattr_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_setattr_config'($*)) dnl - ') - - -####################################### -## -## Read network config files. -## -## -##

-## Allow the specified domain to read the -## general network configuration files. A -## common example of this is the -## /etc/resolv.conf file, which has domain -## name system (DNS) server IP addresses. -## Typically, most networking processes will -## require the access provided by this interface. -##

-##

-## Higher-level interfaces which involve -## networking will generally call this interface, -## for example: -##

-##
    -##
  • sysnet_dns_name_resolve()
    • -##
  • sysnet_use_ldap()
    • -##
  • sysnet_use_portmap()
    • -##
-## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_read_config'($*)) dnl - - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file read_file_perms; - - ifdef(`distro_debian',` - files_search_pids($1) - allow $1 net_conf_t:dir list_dir_perms; - read_files_pattern($1, net_conf_t, net_conf_t) - ') - - ifdef(`distro_redhat',` - allow $1 net_conf_t:dir list_dir_perms; - read_files_pattern($1, net_conf_t, net_conf_t) - ') - - ifdef(`init_systemd',` - systemd_read_resolved_runtime($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_read_config'($*)) dnl - ') - - -####################################### -## -## Do not audit attempts to read network config files. -## -## -## -## Domain to not audit. -## -## -# - define(`sysnet_dontaudit_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_read_config'($*)) dnl - - gen_require(` - type net_conf_t; - ') - - dontaudit $1 net_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_read_config'($*)) dnl - ') - - -####################################### -## -## Write network config files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_write_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_write_config'($*)) dnl - - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file write_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_write_config'($*)) dnl - ') - - -####################################### -## -## Create network config files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_create_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_create_config'($*)) dnl - - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file create_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_create_config'($*)) dnl - ') - - -####################################### -## -## Relabel network config files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_relabel_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_relabel_config'($*)) dnl - - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_relabel_config'($*)) dnl - ') - - -####################################### -## -## Create files in /etc with the type used for -## the network config files. -## -## -## -## Domain allowed access. -## -## -## -## -## The name of the object being created. -## -## -# - define(`sysnet_etc_filetrans_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_etc_filetrans_config'($*)) dnl - - gen_require(` - type net_conf_t; - ') - - files_etc_filetrans($1, net_conf_t, file, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_etc_filetrans_config'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete network config files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_manage_config'($*)) dnl - - gen_require(` - type net_conf_t; - ') - - files_search_etc($1) - allow $1 net_conf_t:file manage_file_perms; - - ifdef(`distro_debian',` - files_search_pids($1) - manage_files_pattern($1, net_conf_t, net_conf_t) - ') - - ifdef(`distro_redhat',` - manage_files_pattern($1, net_conf_t, net_conf_t) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_manage_config'($*)) dnl - ') - - -####################################### -## -## Read the dhcp client pid file. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_read_dhcpc_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcpc_pid'($*)) dnl - - gen_require(` - type dhcpc_runtime_t; - ') - - files_list_pids($1) - allow $1 dhcpc_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_read_dhcpc_pid'($*)) dnl - ') - - -####################################### -## -## Delete the dhcp client pid file. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_delete_dhcpc_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_delete_dhcpc_pid'($*)) dnl - - gen_require(` - type dhcpc_runtime_t; - ') - - allow $1 dhcpc_runtime_t:file unlink; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_delete_dhcpc_pid'($*)) dnl - ') - - -####################################### -## -## Execute ifconfig in the ifconfig domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`sysnet_domtrans_ifconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_domtrans_ifconfig'($*)) dnl - - gen_require(` - type ifconfig_t, ifconfig_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_domtrans_ifconfig'($*)) dnl - ') - - -######################################## -## -## Execute ifconfig in the ifconfig domain, and -## allow the specified role the ifconfig domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`sysnet_run_ifconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_run_ifconfig'($*)) dnl - - gen_require(` - type ifconfig_t; - ') - - corecmd_search_bin($1) - sysnet_domtrans_ifconfig($1) - role $2 types ifconfig_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_run_ifconfig'($*)) dnl - ') - - -####################################### -## -## Execute ifconfig in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_exec_ifconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_exec_ifconfig'($*)) dnl - - gen_require(` - type ifconfig_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ifconfig_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_exec_ifconfig'($*)) dnl - ') - - -######################################## -## -## Send a generic signal to ifconfig. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sysnet_signal_ifconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_signal_ifconfig'($*)) dnl - - gen_require(` - type ifconfig_t; - ') - - allow $1 ifconfig_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_signal_ifconfig'($*)) dnl - ') - - -######################################## -## -## Send null signals to ifconfig. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sysnet_signull_ifconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_signull_ifconfig'($*)) dnl - - gen_require(` - type ifconfig_t; - ') - - allow $1 ifconfig_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_signull_ifconfig'($*)) dnl - ') - - -######################################## -## -## Read the DHCP configuration files. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_read_dhcp_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcp_config'($*)) dnl - - gen_require(` - type dhcp_etc_t; - ') - - files_search_etc($1) - allow $1 dhcp_etc_t:dir list_dir_perms; - read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_read_dhcp_config'($*)) dnl - ') - - -######################################## -## -## Search the DHCP state data directory. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_search_dhcp_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_search_dhcp_state'($*)) dnl - - gen_require(` - type dhcp_state_t; - ') - - files_search_var_lib($1) - allow $1 dhcp_state_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_search_dhcp_state'($*)) dnl - ') - - -######################################## -## -## Create DHCP state data. -## -## -##

-## Create DHCP state data. -##

-##

-## This is added for DHCP server, as -## the server and client put their state -## files in the same directory. -##

-## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created -## -## -## -## -## The object class. -## -## -## -## -## The name of the object being created. -## -## -# - define(`sysnet_dhcp_state_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_dhcp_state_filetrans'($*)) dnl - - gen_require(` - type dhcp_state_t; - ') - - files_search_var_lib($1) - filetrans_pattern($1, dhcp_state_t, $2, $3, $4) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_dhcp_state_filetrans'($*)) dnl - ') - - -######################################## -## -## Perform a DNS name resolution. -## -## -## -## Domain allowed access. -## -## -## -# - define(`sysnet_dns_name_resolve',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_dns_name_resolve'($*)) dnl - - - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - allow $1 self:netlink_route_socket r_netlink_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_connect_dns_port($1) - corenet_sendrecv_dns_client_packets($1) - - sysnet_read_config($1) - - optional_policy(` - avahi_stream_connect($1) - ') - - optional_policy(` - # for /etc/resolv.conf symlink - networkmanager_read_pid_files($1) - ') - - optional_policy(` - nscd_use($1) - ') - - ifdef(`init_systemd',` - optional_policy(` - systemd_dbus_chat_resolved($1) - ') - # This seems needed when the mymachines NSS module is used - optional_policy(` - systemd_read_machines($1) - ') - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_dns_name_resolve'($*)) dnl - ') - - -######################################## -## -## Connect and use a LDAP server. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_use_ldap',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_use_ldap'($*)) dnl - - - allow $1 self:tcp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_tcp_connect_ldap_port($1) - corenet_sendrecv_ldap_client_packets($1) - - # Support for LDAPS - dev_read_rand($1) - dev_read_urand($1) - - sysnet_read_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_use_ldap'($*)) dnl - ') - - -######################################## -## -## Connect and use remote port mappers. -## -## -## -## Domain allowed access. -## -## -# - define(`sysnet_use_portmap',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_use_portmap'($*)) dnl - - - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) - corenet_tcp_connect_portmap_port($1) - corenet_sendrecv_portmap_client_packets($1) - - sysnet_read_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_use_portmap'($*)) dnl - ') - - -# This should be after an ifdef distro_gentoo but that is not allowed in an if file - -######################################## -## -## Make the specified program domain -## accessable from the DHCP hooks/scripts. -## -## -## -## The type of the process to transition to. -## -## -## -## -## The type of the file used as an entrypoint to this domain. -## -## -# - define(`sysnet_dhcpc_script_entry',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `sysnet_dhcpc_script_entry'($*)) dnl - - gen_require(` - type dhcpc_script_t; - attribute_role dhcpc_roles; - ') - - role dhcpc_roles types $1; - - domtrans_pattern(dhcpc_script_t, $2, $1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `sysnet_dhcpc_script_entry'($*)) dnl - ') - -## Policy for udev. - -######################################## -## -## Send generic signals to udev. -## -## -## -## Domain allowed access. -## -## -# - define(`udev_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_signal'($*)) dnl - - gen_require(` - type udev_t; - ') - - allow $1 udev_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_signal'($*)) dnl - ') - - -######################################## -## -## Execute udev in the udev domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`udev_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_domtrans'($*)) dnl - - gen_require(` - type udev_t, udev_exec_t; - ') - - domtrans_pattern($1, udev_exec_t, udev_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_domtrans'($*)) dnl - ') - - -######################################## -## -## Allow udev to execute the specified program in -## the specified domain. -## -## -##

-## This is a interface to support the UDEV 'RUN' -## command. This will allow the command run by -## udev to be run in a domain other than udev_t. -##

-## -## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# - define(`udev_run_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_run_domain'($*)) dnl - - gen_require(` - type udev_t; - ') - - domtrans_pattern(udev_t,$2,$1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_run_domain'($*)) dnl - ') - - -######################################## -## -## Execute udev in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`udev_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_exec'($*)) dnl - - gen_require(` - type udev_exec_t; - ') - - can_exec($1, udev_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_exec'($*)) dnl - ') - - -######################################## -## -## Execute a udev helper in the udev domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`udev_helper_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_helper_domtrans'($*)) dnl - - gen_require(` - type udev_t, udev_helper_exec_t; - ') - - domtrans_pattern($1, udev_helper_exec_t, udev_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_helper_domtrans'($*)) dnl - ') - - -######################################## -## -## Allow process to read udev process state. -## -## -## -## Domain allowed access. -## -## -# - define(`udev_read_state',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_read_state'($*)) dnl - - gen_require(` - type udev_t; - ') - - kernel_search_proc($1) - allow $1 udev_t:file read_file_perms; - allow $1 udev_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_read_state'($*)) dnl - ') - - - -######################################## -## -## Allow domain to create uevent sockets. -## -## -## -## Domain allowed access. -## -## -# - define(`udev_create_kobject_uevent_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_create_kobject_uevent_sockets'($*)) dnl - - gen_require(` - type udev_t; - ') - - allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_create_kobject_uevent_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit a -## udev file descriptor. -## -## -## -## Domain to not audit. -## -## -# - define(`udev_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_dontaudit_use_fds'($*)) dnl - - gen_require(` - type udev_t; - ') - - dontaudit $1 udev_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## to a udev unix datagram socket. -## -## -## -## Domain to not audit. -## -## -# - define(`udev_dontaudit_rw_dgram_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_dontaudit_rw_dgram_sockets'($*)) dnl - - gen_require(` - type udev_t; - ') - - dontaudit $1 udev_t:unix_dgram_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_dontaudit_rw_dgram_sockets'($*)) dnl - ') - - -######################################## -## -## Read udev rules files -## -## -## -## Domain allowed access. -## -## -# - define(`udev_read_rules_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_read_rules_files'($*)) dnl - - gen_require(` - type udev_rules_t; - ') - - files_search_etc($1) # /etc/udev/rules.d - udev_search_pids($1) # /run/udev/rules.d - read_files_pattern($1, udev_rules_t, udev_rules_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_read_rules_files'($*)) dnl - ') - - - -######################################## -## -## Manage udev rules files -## -## -## -## Domain allowed access. -## -## -# - define(`udev_manage_rules_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_manage_rules_files'($*)) dnl - - gen_require(` - type udev_rules_t; - ') - - manage_files_pattern($1, udev_rules_t, udev_rules_t) - - files_search_etc($1) - - udev_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_manage_rules_files'($*)) dnl - ') - - -######################################## -## -## Do not audit search of udev database directories. -## -## -## -## Domain to not audit. -## -## -# - define(`udev_dontaudit_search_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_dontaudit_search_db'($*)) dnl - - gen_require(` - type udev_tbl_t; - ') - - dontaudit $1 udev_tbl_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_dontaudit_search_db'($*)) dnl - ') - - -######################################## -## -## Read the udev device table. -## -## -##

-## Allow the specified domain to read the udev device table. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`udev_read_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_read_db'($*)) dnl - - gen_require(` - type udev_tbl_t; - ') - - allow $1 udev_tbl_t:dir list_dir_perms; - - read_files_pattern($1, udev_tbl_t, udev_tbl_t) - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) - - dev_list_all_dev_nodes($1) - - files_search_etc($1) - - # Device table files are beneith /run/udev - udev_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_read_db'($*)) dnl - ') - - -######################################## -## -## Allow process to modify list of devices. -## -## -## -## Domain allowed access. -## -## -# - define(`udev_rw_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_rw_db'($*)) dnl - - gen_require(` - type udev_tbl_t; - ') - - dev_list_all_dev_nodes($1) - allow $1 udev_tbl_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_rw_db'($*)) dnl - ') - - -######################################## -## -## Create udev database directories -## -## -## -## Domain allowed access. -## -## -# - define(`udev_create_db_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_create_db_dirs'($*)) dnl - - gen_require(` - type udev_tbl_t; - type udev_runtime_t; - ') - - create_dirs_pattern($1, udev_runtime_t, udev_tbl_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_create_db_dirs'($*)) dnl - ') - - - - -######################################## -## -## Write in /var/run/udev with the udev_tbl_t (udev database) file type -## -## -## -## Domain allowed access. -## -## -## -## -## Classes on which the file transition should occur -## -## -## -## -## Name of the directory that the file transition will work on -## -## -# - define(`udev_pid_filetrans_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_pid_filetrans_db'($*)) dnl - - gen_require(` - type udev_tbl_t; - type udev_runtime_t; - ') - - filetrans_pattern($1, udev_runtime_t, udev_tbl_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_pid_filetrans_db'($*)) dnl - ') - - -######################################## -## -## Allow process to relabelto udev database -## -## -## -## Domain allowed access. -## -## -# - define(`udev_relabelto_db',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_relabelto_db'($*)) dnl - - gen_require(` - type udev_runtime_t; - ') - - files_search_pids($1) - allow $1 udev_runtime_t:file relabelto_file_perms; - allow $1 udev_runtime_t:lnk_file relabelto_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_relabelto_db'($*)) dnl - ') - - -######################################## -## -## Allow process to relabelto sockets in /run/udev -## -## -## -## Domain allowed access. -## -## -# - define(`udev_relabelto_db_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_relabelto_db_sockets'($*)) dnl - - gen_require(` - type udev_runtime_t; - ') - - allow $1 udev_runtime_t:sock_file relabelto_sock_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_relabelto_db_sockets'($*)) dnl - ') - - -######################################## -## -## Search through udev pid content -## -## -## -## Domain allowed access. -## -## -# - define(`udev_search_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_search_pids'($*)) dnl - - gen_require(` - type udev_runtime_t; - ') - - files_search_var_lib($1) - search_dirs_pattern($1, udev_runtime_t, udev_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_search_pids'($*)) dnl - ') - - -######################################## -## -## list udev pid content -## -## -## -## Domain allowed access. -## -## -# - define(`udev_list_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_list_pids'($*)) dnl - - gen_require(` - type udev_runtime_t; - ') - - files_search_pids($1) - allow $1 udev_runtime_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_list_pids'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## udev run directories -## -## -## -## Domain allowed access. -## -## -# - define(`udev_manage_pid_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_manage_pid_dirs'($*)) dnl - - gen_require(` - type udev_runtime_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, udev_runtime_t, udev_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_manage_pid_dirs'($*)) dnl - ') - - -######################################## -## -## Read udev pid files -## -## -## -## Domain allowed access. -## -## -# - define(`udev_read_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_read_pid_files'($*)) dnl - - gen_require(` - type udev_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, udev_runtime_t, udev_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_read_pid_files'($*)) dnl - ') - - - -######################################## -## -## dontaudit attempts to read/write udev pidfiles -## -## -## -## Domain allowed access. -## -## -# - define(`udev_dontaudit_rw_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_dontaudit_rw_pid_files'($*)) dnl - - gen_require(` - type udev_runtime_t; - ') - - dontaudit $1 udev_runtime_t:file { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_dontaudit_rw_pid_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## udev pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`udev_manage_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_manage_pid_files'($*)) dnl - - gen_require(` - type udev_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, udev_runtime_t, udev_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_manage_pid_files'($*)) dnl - ') - - -######################################## -## -## Write dirs in /var/run with the udev_runtime file type. -## This method is deprecated in favor of the init_daemon_run_dir call. -## -## -## -## Domain allowed access. -## -## -## -## -## Name of the directory that the file transition will work on -## -## -# - define(`udev_generic_pid_filetrans_run_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_generic_pid_filetrans_run_dirs'($*)) dnl - - refpolicywarn(`$0($*) has been deprecated.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_generic_pid_filetrans_run_dirs'($*)) dnl - ') - - -######################################## -## -## Execute udev admin in the udevadm domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`udevadm_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udevadm_domtrans'($*)) dnl - - gen_require(` - type udevadm_t, udevadm_exec_t; - ') - - domtrans_pattern($1, udevadm_exec_t, udevadm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udevadm_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute udevadm in the udevadm domain, and -## allow the specified role the udevadm domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`udevadm_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udevadm_run'($*)) dnl - - gen_require(` - attribute_role udevadm_roles; - ') - - udevadm_domtrans($1) - roleattribute $2 udevadm_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udevadm_run'($*)) dnl - ') - - -######################################## -## -## Execute udevadm in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`udevadm_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udevadm_exec'($*)) dnl - - gen_require(` - type udevadm_exec_t; - ') - - can_exec($1, udevadm_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udevadm_exec'($*)) dnl - ') - - -# Gentoo specific but cannot add it within an ifdef distro_gentoo - -######################################### -## -## Write in /var/run/udev with the udev_rules_t (udev rules) file type -## -## -## -## Domain allowed access. -## -## -## -## -## Classes on which the file transition should occur -## -## -## -## -## Name of the directory that the file transition will work on -## -## -# - define(`udev_pid_filetrans_rules',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_pid_filetrans_rules'($*)) dnl - - gen_require(` - type udev_rules_t; - type udev_runtime_t; - ') - - filetrans_pattern($1, udev_runtime_t, udev_rules_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_pid_filetrans_rules'($*)) dnl - ') - - -######################################## -## -## Create udev rules directories -## -## -## -## Domain allowed access. -## -## -# - define(`udev_create_rules_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `udev_create_rules_dirs'($*)) dnl - - gen_require(` - type udev_rules_t; - type udev_runtime_t; - ') - - create_dirs_pattern($1, udev_runtime_t, udev_rules_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `udev_create_rules_dirs'($*)) dnl - ') - - -## The unconfined domain. - -######################################## -## -## Make the specified domain unconfined. -## -## -## -## Domain to make unconfined. -## -## -# - define(`unconfined_domain_noaudit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_domain_noaudit'($*)) dnl - - gen_require(` - type unconfined_t; - class dbus all_dbus_perms; - class nscd all_nscd_perms; - class passwd all_passwd_perms; - class service all_service_perms; - ') - - # Use most Linux capabilities - allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; - allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm }; - allow $1 self:fifo_file manage_fifo_file_perms; - - # Transition to myself, to make get_ordered_context_list happy. - allow $1 self:process transition; - - # Write access is for setting attributes under /proc/self/attr. - allow $1 self:file rw_file_perms; - - # Userland object managers - allow $1 self:nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost getserv shmemserv }; - allow $1 self:dbus { acquire_svc send_msg }; - allow $1 self:passwd { passwd chfn chsh rootok crontab }; - allow $1 self:association { sendto recvfrom setcontext polmatch }; - - kernel_unconfined($1) - corenet_unconfined($1) - dev_unconfined($1) - domain_unconfined($1) - domain_dontaudit_read_all_domains_state($1) - domain_dontaudit_ptrace_all_domains($1) - files_unconfined($1) - fs_unconfined($1) - selinux_unconfined($1) - files_get_etc_unit_status($1) - files_start_etc_service($1) - files_stop_etc_service($1) - - tunable_policy(`allow_execheap',` - # Allow making the stack executable via mprotect. - allow $1 self:process execheap; - ') - - tunable_policy(`allow_execmem',` - # Allow making anonymous memory executable, e.g. - # for runtime-code generation or executable stack. - allow $1 self:process execmem; - ') - - tunable_policy(`allow_execstack',` - # Allow making the stack executable via mprotect; - # execstack implies execmem; - allow $1 self:process { execstack execmem }; -# auditallow $1 self:process execstack; - ') - - optional_policy(` - auth_unconfined($1) - ') - - optional_policy(` - dbus_unconfined($1) - ') - - optional_policy(` - ipsec_setcontext_default_spd($1) - ipsec_match_default_spd($1) - ') - - optional_policy(` - nscd_unconfined($1) - ') - - optional_policy(` - postgresql_unconfined($1) - ') - - optional_policy(` - seutil_create_bin_policy($1) - seutil_relabelto_bin_policy($1) - ') - - optional_policy(` - storage_unconfined($1) - ') - - optional_policy(` - xserver_unconfined($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_domain_noaudit'($*)) dnl - ') - - -######################################## -## -## Make the specified domain unconfined and -## audit executable heap usage. -## -## -##

-## Make the specified domain unconfined and -## audit executable heap usage. With exception -## of memory protections, usage of this interface -## will result in the level of access the domain has -## is like SELinux was not being used. -##

-##

-## Only completely trusted domains should use this interface. -##

-##

-## Does not allow return communications from confined -## domains via message based mechanisms such as dbus or -## SysV message queues. -##

-## -## -## -## Domain to make unconfined. -## -## -# - define(`unconfined_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_domain'($*)) dnl - - unconfined_domain_noaudit($1) - - tunable_policy(`allow_execheap',` - auditallow $1 self:process execheap; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_domain'($*)) dnl - ') - - -######################################## -## -## Transition to the unconfined domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`unconfined_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_domtrans'($*)) dnl - - gen_require(` - type unconfined_t, unconfined_exec_t; - ') - - domtrans_pattern($1, unconfined_exec_t, unconfined_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute specified programs in the unconfined domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the unconfined domain. -## -## -# - define(`unconfined_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_run'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - unconfined_domtrans($1) - role $2 types unconfined_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_run'($*)) dnl - ') - - -######################################## -## -## Transition to the unconfined domain by executing a shell. -## -## -## -## Domain allowed to transition. -## -## -# - define(`unconfined_shell_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_shell_domtrans'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - corecmd_shell_domtrans($1, unconfined_t) - allow unconfined_t $1:fd use; - allow unconfined_t $1:fifo_file rw_file_perms; - allow unconfined_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_shell_domtrans'($*)) dnl - ') - - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. -## -## -##

-## Allow unconfined to execute the specified program in -## the specified domain. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# - define(`unconfined_domtrans_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_domtrans_to'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - domtrans_pattern(unconfined_t,$2,$1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_domtrans_to'($*)) dnl - ') - - -######################################## -## -## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -## -## -##

-## Allow unconfined to execute the specified program in -## the specified domain. Allow the specified domain the -## unconfined role and use of unconfined user terminals. -##

-##

-## This is a interface to support third party modules -## and its use is not allowed in upstream reference -## policy. -##

-## -## -## -## Domain to execute in. -## -## -## -## -## Domain entry point file. -## -## -# - define(`unconfined_run_to',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_run_to'($*)) dnl - - gen_require(` - type unconfined_t; - role unconfined_r; - ') - - domtrans_pattern(unconfined_t,$2,$1) - role unconfined_r types $1; - userdom_use_user_terminals($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_run_to'($*)) dnl - ') - - -######################################## -## -## Inherit file descriptors from the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_use_fds'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_use_fds'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_sigchld',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_sigchld'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_sigchld'($*)) dnl - ') - - -######################################## -## -## Send a SIGNULL signal to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_signull'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_signull'($*)) dnl - ') - - -######################################## -## -## Send generic signals to the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_signal'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_signal'($*)) dnl - ') - - -######################################## -## -## Read unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_read_pipes'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file read_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_read_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read unconfined domain unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`unconfined_dontaudit_read_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_read_pipes'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_read_pipes'($*)) dnl - ') - - -######################################## -## -## Read and write unconfined domain unnamed pipes. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_rw_pipes'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:fifo_file rw_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## unconfined domain unnamed pipes. -## -## -## -## Domain to not audit. -## -## -# - define(`unconfined_dontaudit_rw_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_pipes'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:fifo_file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_pipes'($*)) dnl - ') - - -######################################## -## -## Connect to the unconfined domain using -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_stream_connect'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:unix_stream_socket connectto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_stream_connect'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## unconfined domain stream. -## -## -## -## Domain to not audit. -## -## -# - define(`unconfined_dontaudit_rw_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_stream_sockets'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read or write -## unconfined domain tcp sockets. -## -## -##

-## Do not audit attempts to read or write -## unconfined domain tcp sockets. -##

-##

-## This interface was added due to a broken -## symptom in ldconfig. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`unconfined_dontaudit_rw_tcp_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_tcp_sockets'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - dontaudit $1 unconfined_t:tcp_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_tcp_sockets'($*)) dnl - ') - - -######################################## -## -## Search keys for the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_search_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_search_keys'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:key search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_search_keys'($*)) dnl - ') - - -######################################## -## -## Create keys for the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_create_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_create_keys'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:key create; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_create_keys'($*)) dnl - ') - - -######################################## -## -## Write keys for the unconfined domain. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_write_keys',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_write_keys'($*)) dnl - - gen_require(` - type unconfined_t; - ') - - allow $1 unconfined_t:key write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_write_keys'($*)) dnl - ') - - -######################################## -## -## Send messages to the unconfined domain over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_dbus_send',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_dbus_send'($*)) dnl - - gen_require(` - type unconfined_t; - class dbus send_msg; - ') - - allow $1 unconfined_t:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_dbus_send'($*)) dnl - ') - - -######################################## -## -## Send and receive messages from -## unconfined_t over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_dbus_chat'($*)) dnl - - gen_require(` - type unconfined_t; - class dbus send_msg; - ') - - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Connect to the the unconfined DBUS -## for service (acquire_svc). -## -## -## -## Domain allowed access. -## -## -# - define(`unconfined_dbus_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `unconfined_dbus_connect'($*)) dnl - - gen_require(` - type unconfined_t; - class dbus acquire_svc; - ') - - allow $1 unconfined_t:dbus acquire_svc; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `unconfined_dbus_connect'($*)) dnl - ') - -## Manages physical or virtual terminals. - -######################################## -## -## Execute gettys in the getty domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`getty_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `getty_domtrans'($*)) dnl - - gen_require(` - type getty_t, getty_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, getty_exec_t, getty_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `getty_domtrans'($*)) dnl - ') - - -######################################## -## -## Do not audit the use of getty file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`getty_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `getty_dontaudit_use_fds'($*)) dnl - - gen_require(` - type getty_t; - ') - - dontaudit $1 getty_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `getty_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Inherit and use getty file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`getty_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `getty_use_fds'($*)) dnl - - gen_require(` - type getty_t; - ') - - allow $1 getty_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `getty_use_fds'($*)) dnl - ') - - -######################################## -## -## Allow process to read getty log file. -## -## -## -## Domain allowed access. -## -## -## -# - define(`getty_read_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `getty_read_log'($*)) dnl - - gen_require(` - type getty_log_t; - ') - - logging_search_logs($1) - allow $1 getty_log_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `getty_read_log'($*)) dnl - ') - - -######################################## -## -## Allow process to read getty config file. -## -## -## -## Domain allowed access. -## -## -## -# - define(`getty_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `getty_read_config'($*)) dnl - - gen_require(` - type getty_conf_t; - ') - - files_search_etc($1) - allow $1 getty_conf_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `getty_read_config'($*)) dnl - ') - - -######################################## -## -## Allow process to edit getty config file. -## -## -## -## Domain allowed access. -## -## -## -# - define(`getty_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `getty_rw_config'($*)) dnl - - gen_require(` - type getty_conf_t; - ') - - files_search_etc($1) - allow $1 getty_conf_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `getty_rw_config'($*)) dnl - ') - -## Miscellaneous files. - -######################################## -## -## Make the specified type usable as a cert file. -## -## -##

-## Make the specified type usable for cert files. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a temporary file may result in problems with -## cert management tools. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_type()
    • -##
-##

-## Example: -##

-##

-## type mycertfile_t; -## cert_type(mycertfile_t) -## allow mydomain_t mycertfile_t:file read_file_perms; -## files_search_etc(mydomain_t) -##

-## -## -## -## Type to be used for files. -## -## -## -# - define(`miscfiles_cert_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_cert_type'($*)) dnl - - gen_require(` - attribute cert_type; - ') - - typeattribute $1 cert_type; - files_type($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_cert_type'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable -## as a SSL/TLS private key file. -## -## -##

-## Make the specified type usable for SSL/TLS private key files. -## This will also make the type usable for files, making -## calls to files_type() redundant. Failure to use this interface -## for a temporary file may result in problems with -## SSL/TLS private key management tools. -##

-##

-## Related interfaces: -##

-##
    -##
  • files_type()
    • -##
-##

-## Example: -##

-##

-## type mytlsprivkeyfile_t; -## tls_privkey_type(mytlsprivkeyfile_t) -## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms; -## files_search_etc(mydomain_t) -##

-## -## -## -## Type to be used for files. -## -## -## -# - define(`miscfiles_tls_privkey_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_tls_privkey_type'($*)) dnl - - gen_require(` - attribute tls_privkey_type; - ') - - typeattribute $1 tls_privkey_type; - files_type($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_tls_privkey_type'($*)) dnl - ') - - -######################################## -## -## Read all SSL/TLS certificates. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_read_all_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_all_certs'($*)) dnl - - gen_require(` - attribute cert_type; - ') - - allow $1 cert_type:dir list_dir_perms; - read_files_pattern($1, cert_type, cert_type) - read_lnk_files_pattern($1, cert_type, cert_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_all_certs'($*)) dnl - ') - - -######################################## -## -## Read generic SSL/TLS certificates. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_read_generic_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_generic_certs'($*)) dnl - - gen_require(` - type cert_t; - ') - - allow $1 cert_t:dir list_dir_perms; - read_files_pattern($1, cert_t, cert_t) - read_lnk_files_pattern($1, cert_t, cert_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_generic_certs'($*)) dnl - ') - - -###################################### -## -## Manage user-managed SSL certificates -## -## -## -## Domain allowed access -## -## -# - define(`miscfiles_manage_user_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_user_certs'($*)) dnl - - userdom_manage_user_certs($1) - refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_user_certs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read generic SSL/TLS certificates. -## -## -## -## Domain to not audit. -## -## -## -# - define(`miscfiles_dontaudit_read_generic_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_read_generic_certs'($*)) dnl - - gen_require(` - type cert_t; - ') - - dontaudit $1 cert_t:dir list_dir_perms; - dontaudit $1 cert_t:file read_file_perms; - dontaudit $1 cert_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_read_generic_certs'($*)) dnl - ') - - -######################################## -## -## Relabel from/to user_cert_t (user-managed SSL certificates) -## -## -## -## Domain allowed access -## -## -# - define(`miscfiles_relabel_user_certs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_user_certs'($*)) dnl - - userdom_relabel_user_certs($1) - refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_certs() instead.') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_relabel_user_certs'($*)) dnl - ') - - -######################################## -## -## Manage generic SSL/TLS certificates. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_manage_generic_cert_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_generic_cert_dirs'($*)) dnl - - gen_require(` - type cert_t; - ') - - manage_dirs_pattern($1, cert_t, cert_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_generic_cert_dirs'($*)) dnl - ') - - -######################################## -## -## Manage generic SSL/TLS certificates. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_manage_generic_cert_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_generic_cert_files'($*)) dnl - - gen_require(` - type cert_t; - ') - - manage_files_pattern($1, cert_t, cert_t) - read_lnk_files_pattern($1, cert_t, cert_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_generic_cert_files'($*)) dnl - ') - - -######################################## -## -## Read generic SSL/TLS private -## keys. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_read_generic_tls_privkey',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_generic_tls_privkey'($*)) dnl - - gen_require(` - type tls_privkey_t; - ') - - allow $1 tls_privkey_t:dir list_dir_perms; - read_files_pattern($1, tls_privkey_t, tls_privkey_t) - read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_generic_tls_privkey'($*)) dnl - ') - - -######################################## -## -## Manage generic SSL/TLS private -## keys. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_manage_generic_tls_privkey_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_generic_tls_privkey_dirs'($*)) dnl - - gen_require(` - type tls_privkey_t; - ') - - manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_generic_tls_privkey_dirs'($*)) dnl - ') - - -######################################## -## -## Manage generic SSL/TLS private -## keys. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_manage_generic_tls_privkey_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_generic_tls_privkey_files'($*)) dnl - - gen_require(` - type tls_privkey_t; - ') - - manage_files_pattern($1, tls_privkey_t, tls_privkey_t) - read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_generic_tls_privkey_files'($*)) dnl - ') - - -######################################## -## -## Read fonts. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_read_fonts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_fonts'($*)) dnl - - gen_require(` - type fonts_t, fonts_cache_t; - ') - - # cjp: fonts can be in either of these dirs - files_search_usr($1) - libs_search_lib($1) - - allow $1 fonts_t:dir list_dir_perms; - read_files_pattern($1, fonts_t, fonts_t) - allow $1 fonts_t:file map; - read_lnk_files_pattern($1, fonts_t, fonts_t) - - allow $1 fonts_cache_t:dir list_dir_perms; - read_files_pattern($1, fonts_cache_t, fonts_cache_t) - allow $1 fonts_cache_t:file map; - read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_fonts'($*)) dnl - ') - - -######################################## -## -## Set the attributes on a fonts directory. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_setattr_fonts_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_fonts_dirs'($*)) dnl - - gen_require(` - type fonts_t; - ') - - allow $1 fonts_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_setattr_fonts_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes -## on a fonts directory. -## -## -## -## Domain to not audit. -## -## -## -# - define(`miscfiles_dontaudit_setattr_fonts_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_setattr_fonts_dirs'($*)) dnl - - gen_require(` - type fonts_t; - ') - - dontaudit $1 fonts_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_setattr_fonts_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write fonts. -## -## -## -## Domain to not audit. -## -## -## -# - define(`miscfiles_dontaudit_write_fonts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_write_fonts'($*)) dnl - - gen_require(` - type fonts_t; - ') - - dontaudit $1 fonts_t:dir { write setattr }; - dontaudit $1 fonts_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_write_fonts'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete fonts. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_manage_fonts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_fonts'($*)) dnl - - gen_require(` - type fonts_t; - ') - - # cjp: fonts can be in either of these dirs - files_search_usr($1) - libs_search_lib($1) - - manage_dirs_pattern($1, fonts_t, fonts_t) - manage_files_pattern($1, fonts_t, fonts_t) - manage_lnk_files_pattern($1, fonts_t, fonts_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_fonts'($*)) dnl - ') - - -######################################## -## -## Set the attributes on a fonts cache directory. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_setattr_fonts_cache_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_fonts_cache_dirs'($*)) dnl - - gen_require(` - type fonts_cache_t; - ') - - allow $1 fonts_cache_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_setattr_fonts_cache_dirs'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to set the attributes -## on a fonts cache directory. -## -## -## -## Domain to not audit. -## -## -# - define(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_setattr_fonts_cache_dirs'($*)) dnl - - gen_require(` - type fonts_cache_t; - ') - - dontaudit $1 fonts_cache_t:dir setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_setattr_fonts_cache_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete fonts cache. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_manage_fonts_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_fonts_cache'($*)) dnl - - gen_require(` - type fonts_cache_t; - ') - - files_search_var($1) - - manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t) - manage_files_pattern($1, fonts_cache_t, fonts_cache_t) - manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_fonts_cache'($*)) dnl - ') - - -######################################## -## -## Read hardware identification data. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_read_hwdata',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_hwdata'($*)) dnl - - gen_require(` - type hwdata_t; - ') - - allow $1 hwdata_t:dir list_dir_perms; - read_files_pattern($1, hwdata_t, hwdata_t) - read_lnk_files_pattern($1, hwdata_t, hwdata_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_hwdata'($*)) dnl - ') - - -######################################## -## -## Allow process to setattr localization info -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_setattr_localization',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_localization'($*)) dnl - - gen_require(` - type locale_t; - ') - - files_search_usr($1) - allow $1 locale_t:dir list_dir_perms; - allow $1 locale_t:file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_setattr_localization'($*)) dnl - ') - - -######################################## -## -## Allow process to read localization information. -## -## -##

-## Allow the specified domain to read the localization files. -## This is typically for time zone configuration files, such as -## /etc/localtime and files in /usr/share/zoneinfo. -## Typically, any domain which needs to know the GMT/UTC -## offset of the current timezone will need access -## to these files. Generally, it should be safe for any -## domain to read these files. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_read_localization',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_localization'($*)) dnl - - gen_require(` - type locale_t; - ') - - files_read_etc_symlinks($1) - files_search_usr($1) - allow $1 locale_t:dir list_dir_perms; - read_files_pattern($1, locale_t, locale_t) - read_lnk_files_pattern($1, locale_t, locale_t) - allow $1 locale_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_localization'($*)) dnl - ') - - -######################################## -## -## Allow process to write localization info -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_rw_localization',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_rw_localization'($*)) dnl - - gen_require(` - type locale_t; - ') - - files_search_usr($1) - allow $1 locale_t:dir list_dir_perms; - rw_files_pattern($1, locale_t, locale_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_rw_localization'($*)) dnl - ') - - -######################################## -## -## Allow process to relabel localization info -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_relabel_localization',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_localization'($*)) dnl - - gen_require(` - type locale_t; - ') - - files_search_usr($1) - relabel_files_pattern($1, locale_t, locale_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_relabel_localization'($*)) dnl - ') - - -######################################## -## -## Allow process to read legacy time localization info -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_legacy_read_localization',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_legacy_read_localization'($*)) dnl - - gen_require(` - type locale_t; - ') - - miscfiles_read_localization($1) - allow $1 locale_t:file execute; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_legacy_read_localization'($*)) dnl - ') - - -######################################## -## -## Watch time localization info -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_watch_localization',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_watch_localization'($*)) dnl - - gen_require(` - type locale_t; - ') - - allow $1 locale_t:file watch; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_watch_localization'($*)) dnl - ') - - -######################################## -## -## Search man pages. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_search_man_pages',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_search_man_pages'($*)) dnl - - gen_require(` - type man_t, man_cache_t; - ') - - allow $1 { man_cache_t man_t }:dir search_dir_perms; - files_search_usr($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_search_man_pages'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search man pages. -## -## -## -## Domain to not audit. -## -## -# - define(`miscfiles_dontaudit_search_man_pages',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_search_man_pages'($*)) dnl - - gen_require(` - type man_t, man_cache_t; - ') - - dontaudit $1 { man_cache_t man_t }:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_search_man_pages'($*)) dnl - ') - - -######################################## -## -## Read man pages -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_read_man_pages',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_man_pages'($*)) dnl - - gen_require(` - type man_t, man_cache_t; - ') - - files_search_usr($1) - allow $1 { man_cache_t man_t }:dir list_dir_perms; - read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_man_pages'($*)) dnl - ') - - -######################################## -## -## Delete man pages -## -## -## -## Domain allowed access. -## -## -# cjp: added for tmpreaper -# - define(`miscfiles_delete_man_pages',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_delete_man_pages'($*)) dnl - - gen_require(` - type man_t, man_cache_t; - ') - - files_search_usr($1) - allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms }; - delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_delete_man_pages'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete man pages -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_manage_man_pages',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_man_pages'($*)) dnl - - gen_require(` - type man_t, man_cache_t; - ') - - files_search_usr($1) - manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_man_pages'($*)) dnl - ') - - -######################################## -## -## Read man cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_read_man_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_man_cache'($*)) dnl - - gen_require(` - type man_cache_t; - ') - - files_search_var($1) - allow $1 man_cache_t:dir list_dir_perms; - allow $1 man_cache_t:file read_file_perms; - allow $1 man_cache_t:lnk_file read_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_man_cache'($*)) dnl - ') - - -######################################## -## -## Map man cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_map_man_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_map_man_cache'($*)) dnl - - gen_require(` - type man_cache_t; - ') - - allow $1 man_cache_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_map_man_cache'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## man cache content. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_manage_man_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_man_cache'($*)) dnl - - gen_require(` - type man_cache_t; - ') - - files_search_var($1) - allow $1 man_cache_t:dir manage_dir_perms; - allow $1 man_cache_t:file manage_file_perms; - allow $1 man_cache_t:lnk_file manage_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_man_cache'($*)) dnl - ') - - -######################################## -## -## Relabel from and to man cache. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_relabel_man_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_man_cache'($*)) dnl - - gen_require(` - type man_cache_t; - ') - - relabel_dirs_pattern($1, man_cache_t, man_cache_t) - relabel_files_pattern($1, man_cache_t, man_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_relabel_man_cache'($*)) dnl - ') - - -######################################## -## -## Read public files used for file -## transfer services. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_read_public_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_public_files'($*)) dnl - - gen_require(` - type public_content_t, public_content_rw_t; - ') - - allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms; - read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t }) - read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_public_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete public files -## and directories used for file transfer services. -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_manage_public_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_public_files'($*)) dnl - - gen_require(` - type public_content_rw_t; - ') - - manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t) - manage_files_pattern($1, public_content_rw_t, public_content_rw_t) - manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_public_files'($*)) dnl - ') - - -######################################## -## -## Read TeX data -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_read_tetex_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_tetex_data'($*)) dnl - - gen_require(` - type tetex_data_t; - ') - - files_search_var($1) - files_search_var_lib($1) - - # cjp: TeX data can be in either of the above dirs - allow $1 tetex_data_t:dir list_dir_perms; - read_files_pattern($1, tetex_data_t, tetex_data_t) - read_lnk_files_pattern($1, tetex_data_t, tetex_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_tetex_data'($*)) dnl - ') - - -######################################## -## -## Execute TeX data programs in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_exec_tetex_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_exec_tetex_data'($*)) dnl - - gen_require(` - type tetex_data_t; - ') - - files_search_var($1) - files_search_var_lib($1) - - # cjp: TeX data can be in either of the above dirs - allow $1 tetex_data_t:dir list_dir_perms; - exec_files_pattern($1, tetex_data_t, tetex_data_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_exec_tetex_data'($*)) dnl - ') - - -######################################## -## -## Let test files be an entry point for -## a specified domain. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_domain_entry_test_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_domain_entry_test_files'($*)) dnl - - gen_require(` - type test_file_t; - ') - - domain_entry_file($1, test_file_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_domain_entry_test_files'($*)) dnl - ') - - -######################################## -## -## Read test files and directories. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_read_test_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_read_test_files'($*)) dnl - - gen_require(` - type test_file_t; - ') - - read_files_pattern($1, test_file_t, test_file_t) - read_lnk_files_pattern($1, test_file_t, test_file_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_read_test_files'($*)) dnl - ') - - -######################################## -## -## Execute test files. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_exec_test_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_exec_test_files'($*)) dnl - - gen_require(` - type test_file_t; - ') - - exec_files_pattern($1, test_file_t, test_file_t) - read_lnk_files_pattern($1, test_file_t, test_file_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_exec_test_files'($*)) dnl - ') - - -######################################## -## -## Create files in etc directories -## with localization file type. -## -## -## -## Domain allowed access. -## -## -# - define(`miscfiles_etc_filetrans_localization',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_etc_filetrans_localization'($*)) dnl - - gen_require(` - type locale_t; - ') - - files_etc_filetrans($1, locale_t, file) - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_etc_filetrans_localization'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete localization -## -## -## -## Domain allowed access. -## -## -## -# - define(`miscfiles_manage_localization',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `miscfiles_manage_localization'($*)) dnl - - gen_require(` - type locale_t; - ') - - manage_dirs_pattern($1, locale_t, locale_t) - manage_files_pattern($1, locale_t, locale_t) - manage_lnk_files_pattern($1, locale_t, locale_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `miscfiles_manage_localization'($*)) dnl - ') - - -## Policy for logical volume management programs. - -######################################## -## -## Execute lvm programs in the lvm domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`lvm_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_domtrans'($*)) dnl - - gen_require(` - type lvm_t, lvm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, lvm_exec_t, lvm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute lvm programs in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`lvm_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_exec'($*)) dnl - - gen_require(` - type lvm_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, lvm_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_exec'($*)) dnl - ') - - -######################################## -## -## Execute lvm programs in the lvm domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the LVM domain. -## -## -## -# - define(`lvm_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_run'($*)) dnl - - gen_require(` - type lvm_t; - ') - - lvm_domtrans($1) - role $2 types lvm_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_run'($*)) dnl - ') - - -######################################## -## -## Send lvm a null signal. -## -## -## -## Domain allowed access. -## -## -# - define(`lvm_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_signull'($*)) dnl - - gen_require(` - type lvm_t; - ') - - allow $1 lvm_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_signull'($*)) dnl - ') - - -######################################## -## -## Read LVM configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`lvm_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_read_config'($*)) dnl - - gen_require(` - type lvm_etc_t; - ') - - files_search_etc($1) - allow $1 lvm_etc_t:dir list_dir_perms; - read_files_pattern($1, lvm_etc_t, lvm_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_read_config'($*)) dnl - ') - - -######################################## -## -## Manage LVM configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`lvm_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_manage_config'($*)) dnl - - gen_require(` - type lvm_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t) - manage_files_pattern($1, lvm_etc_t, lvm_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_manage_config'($*)) dnl - ') - - -######################################## -## -## Create lvm_lock_t directories -## -## -## -## Domain allowed access. -## -## -## -# - define(`lvm_create_lock_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_create_lock_dirs'($*)) dnl - - gen_require(` - type lvm_lock_t; - ') - - create_dirs_pattern($1, lvm_lock_t, lvm_lock_t) - files_add_entry_lock_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_create_lock_dirs'($*)) dnl - ') - - -######################################## -## -## Read and write a lvm unnamed pipe. -## -## -## -## Domain allowed access. -## -## -# - define(`lvm_rw_inherited_pid_pipes',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_rw_inherited_pid_pipes'($*)) dnl - - gen_require(` - type lvm_runtime_t; - ') - - allow $1 lvm_runtime_t:fifo_file rw_inherited_fifo_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_rw_inherited_pid_pipes'($*)) dnl - ') - - -###################################### -## -## Execute a domain transition to run clvmd. -## -## -## -## Domain allowed to transition. -## -## -# - define(`lvm_domtrans_clvmd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_domtrans_clvmd'($*)) dnl - - gen_require(` - type clvmd_t, clvmd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, clvmd_exec_t, clvmd_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_domtrans_clvmd'($*)) dnl - ') - - -###################################### -## -## All of the rules required to -## administrate an lvm environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -# - define(`lvm_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `lvm_admin'($*)) dnl - - gen_require(` - type clvmd_t, clvmd_initrc_exec_t, lvm_t, lvm_unit_t; - type lvm_etc_t, lvm_lock_t, lvm_metadata_t; - type lvm_var_lib_t, lvm_runtime_t, clvmd_runtime_t, lvm_tmp_t; - ') - - admin_process_pattern($1, { clvmd_t lvm_t }) - - init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t) - - files_search_etc($1) - admin_pattern($1, { lvm_etc_t lvm_metadata_t }) - - files_search_locks($1) - admin_pattern($1, lvm_lock_t) - - files_search_var_lib($1) - admin_pattern($1, lvm_var_lib_t) - - files_search_pids($1) - admin_pattern($1, { lvm_runtime_t clvmd_runtime_t }) - - files_search_tmp($1) - admin_pattern($1, lvm_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `lvm_admin'($*)) dnl - ') - -## Xen hypervisor. - -######################################## -## -## Execute a domain transition to run xend. -## -## -## -## Domain allowed to transition. -## -## -# - define(`xen_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_domtrans'($*)) dnl - - gen_require(` - type xend_t, xend_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, xend_exec_t, xend_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute xend in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_exec'($*)) dnl - - gen_require(` - type xend_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, xend_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_exec'($*)) dnl - ') - - -######################################## -## -## Inherit and use xen file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_use_fds'($*)) dnl - - gen_require(` - type xend_t; - ') - - allow $1 xend_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit -## xen file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`xen_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_dontaudit_use_fds'($*)) dnl - - gen_require(` - type xend_t; - ') - - dontaudit $1 xend_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## xend image directories. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_manage_image_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_manage_image_dirs'($*)) dnl - - gen_require(` - type xend_var_lib_t; - ') - - files_search_var_lib($1) - manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_manage_image_dirs'($*)) dnl - ') - - -######################################## -## -## Read xend image files. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_read_image_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_read_image_files'($*)) dnl - - gen_require(` - type xen_image_t, xend_var_lib_t; - ') - - files_list_var_lib($1) - list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) - read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_read_image_files'($*)) dnl - ') - - -######################################## -## -## Read and write xend image files. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_rw_image_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_rw_image_files'($*)) dnl - - gen_require(` - type xen_image_t, xend_var_lib_t; - ') - - files_list_var_lib($1) - allow $1 xend_var_lib_t:dir search_dir_perms; - rw_files_pattern($1, xen_image_t, xen_image_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_rw_image_files'($*)) dnl - ') - - -######################################## -## -## Append xend log files. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_append_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_append_log'($*)) dnl - - gen_require(` - type xend_var_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, xend_var_log_t, xend_var_log_t) - dontaudit $1 xend_var_log_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_append_log'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## xend log files. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_manage_log',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_manage_log'($*)) dnl - - gen_require(` - type xend_var_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t) - manage_files_pattern($1, xend_var_log_t, xend_var_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_manage_log'($*)) dnl - ') - - -####################################### -## -## Read xenstored pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_read_xenstored_pid_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_read_xenstored_pid_files'($*)) dnl - - gen_require(` - type xenstored_runtime_t; - ') - - files_search_pids($1) - read_files_pattern($1, xenstored_runtime_t, xenstored_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_read_xenstored_pid_files'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read and write -## Xen unix domain stream sockets. -## -## -## -## Domain to not audit. -## -## -# - define(`xen_dontaudit_rw_unix_stream_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_dontaudit_rw_unix_stream_sockets'($*)) dnl - - gen_require(` - type xend_t; - ') - - dontaudit $1 xend_t:unix_stream_socket { read write }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_dontaudit_rw_unix_stream_sockets'($*)) dnl - ') - - -######################################## -## -## Connect to xenstored with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_stream_connect_xenstore',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_stream_connect_xenstore'($*)) dnl - - gen_require(` - type xenstored_t, xenstored_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xenstored_runtime_t, xenstored_runtime_t, xenstored_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_stream_connect_xenstore'($*)) dnl - ') - - -######################################## -## -## Connect to xend with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_stream_connect'($*)) dnl - - gen_require(` - type xend_t, xend_runtime_t, xend_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xend_runtime_t, xend_runtime_t, xend_t) - - files_search_var_lib($1) - stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_stream_connect'($*)) dnl - ') - - -######################################## -## -## Create in a xend_runtime_t directory -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -# - define(`xen_pid_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_pid_filetrans'($*)) dnl - - gen_require(` - type xend_runtime_t; - ') - - filetrans_pattern($1, xend_runtime_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_pid_filetrans'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run xm. -## -## -## -## Domain allowed to transition. -## -## -# - define(`xen_domtrans_xm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_domtrans_xm'($*)) dnl - - gen_require(` - type xm_t, xm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, xm_exec_t, xm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_domtrans_xm'($*)) dnl - ') - - -######################################## -## -## Connect to xm with a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`xen_stream_connect_xm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `xen_stream_connect_xm'($*)) dnl - - gen_require(` - type xm_t, xenstored_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, xenstored_runtime_t, xenstored_runtime_t, xm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `xen_stream_connect_xm'($*)) dnl - ') - -## Administration tool for IP packet filtering and NAT. - -######################################## -## -## Execute iptables in the iptables domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`iptables_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_domtrans'($*)) dnl - - gen_require(` - type iptables_t, iptables_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, iptables_exec_t, iptables_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit iptables_t $1:socket_class_set { read write }; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute iptables in the iptables domain, and -## allow the specified role the iptables domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`iptables_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_run'($*)) dnl - - gen_require(` - attribute_role iptables_roles; - ') - - iptables_domtrans($1) - roleattribute $2 iptables_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_run'($*)) dnl - ') - - -######################################## -## -## Execute iptables in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`iptables_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_exec'($*)) dnl - - gen_require(` - type iptables_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, iptables_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_exec'($*)) dnl - ') - - -######################################## -## -## Execute iptables init scripts in -## the init script domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`iptables_initrc_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_initrc_domtrans'($*)) dnl - - gen_require(` - type iptables_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, iptables_initrc_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_initrc_domtrans'($*)) dnl - ') - - -######################################## -## -## Set the attributes of iptables config files. -## -## -## -## Domain allowed access. -## -## -# - define(`iptables_setattr_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_setattr_config'($*)) dnl - - gen_require(` - type iptables_conf_t; - ') - - files_search_etc($1) - allow $1 iptables_conf_t:file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_setattr_config'($*)) dnl - ') - - -######################################## -## -## Read iptables config files. -## -## -## -## Domain allowed access. -## -## -# - define(`iptables_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_read_config'($*)) dnl - - gen_require(` - type iptables_conf_t; - ') - - files_search_etc($1) - allow $1 iptables_conf_t:dir list_dir_perms; - read_files_pattern($1, iptables_conf_t, iptables_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_read_config'($*)) dnl - ') - - -######################################## -## -## Create files in /etc with the type used for -## the iptables config files. -## -## -## -## Domain allowed access. -## -## -# - define(`iptables_etc_filetrans_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_etc_filetrans_config'($*)) dnl - - gen_require(` - type iptables_conf_t; - ') - - files_etc_filetrans($1, iptables_conf_t, file) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_etc_filetrans_config'($*)) dnl - ') - - -######################################## -## -## Manage iptables config files. -## -## -## -## Domain allowed access. -## -## -# - define(`iptables_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_manage_config'($*)) dnl - - gen_require(` - type iptables_conf_t; - ') - - files_search_etc($1) - manage_files_pattern($1, iptables_conf_t, iptables_conf_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_manage_config'($*)) dnl - ') - - -######################################## -## -## dontaudit reading iptables_runtime_t -## -## -## -## Domain to not audit. -## -## -# - define(`iptables_dontaudit_read_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_dontaudit_read_pids'($*)) dnl - - gen_require(` - type iptables_runtime_t; - ') - - dontaudit $1 iptables_runtime_t:file read; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_dontaudit_read_pids'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to start and stop iptables service -## -## -## -## Domain allowed access. -## -## -# - define(`iptables_startstop',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_startstop'($*)) dnl - - gen_require(` - type iptables_unit_t; - class service { start stop }; - ') - - allow $1 iptables_unit_t:service { start stop }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_startstop'($*)) dnl - ') - - -######################################## -## -## Allow specified domain to get status of iptables service -## -## -## -## Domain allowed access. -## -## -# - define(`iptables_status',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_status'($*)) dnl - - gen_require(` - type iptables_unit_t; - class service status; - ') - - allow $1 iptables_unit_t:service status; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_status'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an iptables -## environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`iptables_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iptables_admin'($*)) dnl - - gen_require(` - type iptables_t, iptables_initrc_exec_t, iptables_conf_t; - type iptables_tmp_t, iptables_runtime_t, iptables_unit_t; - ') - - admin_process_pattern($1, iptables_t) - - init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t) - - files_search_etc($1) - admin_pattern($1, iptables_conf_t) - - files_search_tmp($1) - admin_pattern($1, iptables_tmp_t) - - files_search_pids($1) - admin_pattern($1, iptables_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iptables_admin'($*)) dnl - ') - -## Policy for reading and setting the hardware clock. - -######################################## -## -## Execute hwclock in the clock domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`clock_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clock_domtrans'($*)) dnl - - gen_require(` - type hwclock_t, hwclock_exec_t; - ') - - domtrans_pattern($1, hwclock_exec_t, hwclock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clock_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute hwclock in the clock domain, and -## allow the specified role the hwclock domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`clock_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clock_run'($*)) dnl - - gen_require(` - type hwclock_t; - ') - - clock_domtrans($1) - role $2 types hwclock_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clock_run'($*)) dnl - ') - - -######################################## -## -## Execute hwclock in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`clock_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clock_exec'($*)) dnl - - gen_require(` - type hwclock_exec_t; - ') - - can_exec($1, hwclock_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clock_exec'($*)) dnl - ') - - -######################################## -## -## Read clock drift adjustments. -## -## -## -## Domain allowed access. -## -## -# - define(`clock_read_adjtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clock_read_adjtime'($*)) dnl - - gen_require(` - type adjtime_t; - ') - - files_list_etc($1) - allow $1 adjtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clock_read_adjtime'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write clock drift adjustments. -## -## -## -## Domain to not audit. -## -## -# - define(`clock_dontaudit_write_adjtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clock_dontaudit_write_adjtime'($*)) dnl - - gen_require(` - type adjtime_t; - ') - - dontaudit $1 adjtime_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clock_dontaudit_write_adjtime'($*)) dnl - ') - - -######################################## -## -## Read and write clock drift adjustments. -## -## -## -## Domain allowed access. -## -## -# - define(`clock_rw_adjtime',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `clock_rw_adjtime'($*)) dnl - - gen_require(` - type adjtime_t; - ') - - allow $1 adjtime_t:file rw_file_perms; - files_list_etc($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `clock_rw_adjtime'($*)) dnl - ') - -## Establish connections to iSCSI devices. - -######################################## -## -## Execute a domain transition to run iscsid. -## -## -## -## Domain allowed to transition. -## -## -# - define(`iscsid_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iscsid_domtrans'($*)) dnl - - gen_require(` - type iscsid_t, iscsid_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, iscsid_exec_t, iscsid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iscsid_domtrans'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## iscsid sempaphores. -## -## -## -## Domain allowed access. -## -## -# - define(`iscsi_manage_semaphores',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iscsi_manage_semaphores'($*)) dnl - - gen_require(` - type iscsid_t; - ') - - allow $1 iscsid_t:sem create_sem_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iscsi_manage_semaphores'($*)) dnl - ') - - -######################################## -## -## Connect to iscsid using a unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`iscsi_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iscsi_stream_connect'($*)) dnl - - gen_require(` - type iscsid_t, iscsi_var_lib_t; - ') - - files_search_var_lib($1) - stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iscsi_stream_connect'($*)) dnl - ') - - -######################################## -## -## Read iscsid lib files. -## -## -## -## Domain allowed access. -## -## -# - define(`iscsi_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iscsi_read_lib_files'($*)) dnl - - gen_require(` - type iscsi_var_lib_t; - ') - - read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) - allow $1 iscsi_var_lib_t:dir list_dir_perms; - files_search_var_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iscsi_read_lib_files'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an iscsi environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`iscsi_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `iscsi_admin'($*)) dnl - - gen_require(` - type iscsid_t, iscsi_lock_t, iscsi_log_t; - type iscsi_var_lib_t, iscsi_runtime_t, iscsi_tmp_t; - type iscsi_initrc_exec_t; - ') - - allow $1 iscsid_t:process { ptrace signal_perms }; - ps_process_pattern($1, iscsid_t) - - init_startstop_service($1, $2, iscsi_t, iscsi_initrc_exec_t) - - logging_search_logs($1) - admin_pattern($1, iscsi_log_t) - - files_search_locks($1) - admin_pattern($1, iscsi_lock_t) - - files_search_var_lib($1) - admin_pattern($1, iscsi_var_lib_t) - - files_search_pids($1) - admin_pattern($1, iscsi_runtime_t) - - files_search_tmp($1) - admin_pattern($1, iscsi_tmp_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `iscsi_admin'($*)) dnl - ') - -## RAID array management tools. - -######################################## -## -## Execute software raid tools in -## the mdadm domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`raid_domtrans_mdadm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `raid_domtrans_mdadm'($*)) dnl - - gen_require(` - type mdadm_t, mdadm_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, mdadm_exec_t, mdadm_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `raid_domtrans_mdadm'($*)) dnl - ') - - -###################################### -## -## Execute mdadm in the mdadm -## domain, and allow the specified -## role the mdadm domain. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed to transition. -## -## -# - define(`raid_run_mdadm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `raid_run_mdadm'($*)) dnl - - gen_require(` - attribute_role mdadm_roles; - ') - - raid_domtrans_mdadm($2) - roleattribute $1 mdadm_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `raid_run_mdadm'($*)) dnl - ') - - -######################################## -## -## read mdadm pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`raid_read_mdadm_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `raid_read_mdadm_pid'($*)) dnl - - gen_require(` - type mdadm_runtime_t; - ') - - files_search_pids($1) - allow $1 mdadm_runtime_t:dir list_dir_perms; - allow $1 mdadm_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `raid_read_mdadm_pid'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## mdadm pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`raid_manage_mdadm_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `raid_manage_mdadm_pid'($*)) dnl - - gen_require(` - type mdadm_runtime_t; - ') - - files_search_pids($1) - allow $1 mdadm_runtime_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `raid_manage_mdadm_pid'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an mdadm environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`raid_admin_mdadm',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `raid_admin_mdadm'($*)) dnl - - gen_require(` - type mdadm_t, mdadm_initrc_exec_t, mdadm_runtime_t; - ') - - allow $1 mdadm_t:process { ptrace signal_perms }; - ps_process_pattern($1, mdadm_t) - - init_startstop_service($1, $2, mdadm_t, mdadm_initrc_exec_t) - - files_search_pids($1) - admin_pattern($1, mdadm_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `raid_admin_mdadm'($*)) dnl - ') - -## TCP/IP encryption - -######################################## -## -## Execute ipsec in the ipsec domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ipsec_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_domtrans'($*)) dnl - - gen_require(` - type ipsec_t, ipsec_exec_t; - ') - - domtrans_pattern($1, ipsec_exec_t, ipsec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_domtrans'($*)) dnl - ') - - -######################################## -## -## Connect to IPSEC using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_stream_connect',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_stream_connect'($*)) dnl - - gen_require(` - type ipsec_t, ipsec_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ipsec_runtime_t, ipsec_runtime_t, ipsec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_stream_connect'($*)) dnl - ') - - -######################################## -## -## Execute ipsec in the ipsec mgmt domain. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_domtrans_mgmt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_mgmt'($*)) dnl - - gen_require(` - type ipsec_mgmt_t, ipsec_mgmt_exec_t; - ') - - domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_domtrans_mgmt'($*)) dnl - ') - - -######################################## -## -## Connect to racoon using a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_stream_connect_racoon',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_stream_connect_racoon'($*)) dnl - - gen_require(` - type racoon_t, ipsec_runtime_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, ipsec_runtime_t, ipsec_runtime_t, racoon_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_stream_connect_racoon'($*)) dnl - ') - - -######################################## -## -## Get the attributes of an IPSEC key socket. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_getattr_key_sockets',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_getattr_key_sockets'($*)) dnl - - gen_require(` - type ipsec_t; - ') - - allow $1 ipsec_t:key_socket getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_getattr_key_sockets'($*)) dnl - ') - - -######################################## -## -## Execute the IPSEC management program in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_exec_mgmt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_exec_mgmt'($*)) dnl - - gen_require(` - type ipsec_exec_t; - ') - - can_exec($1, ipsec_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_exec_mgmt'($*)) dnl - ') - - -######################################## -## -## Send ipsec mgmt a general signal. -## -## -## -## Domain allowed access. -## -## -# -# - define(`ipsec_signal_mgmt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_signal_mgmt'($*)) dnl - - gen_require(` - type ipsec_mgmt_t; - ') - - allow $1 ipsec_mgmt_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_signal_mgmt'($*)) dnl - ') - - -######################################## -## -## Send ipsec mgmt a null signal. -## -## -## -## Domain allowed access. -## -## -# -# - define(`ipsec_signull_mgmt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_signull_mgmt'($*)) dnl - - gen_require(` - type ipsec_mgmt_t; - ') - - allow $1 ipsec_mgmt_t:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_signull_mgmt'($*)) dnl - ') - - -######################################## -## -## Send ipsec mgmt a kill signal. -## -## -## -## Domain allowed access. -## -## -# -# - define(`ipsec_kill_mgmt',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_kill_mgmt'($*)) dnl - - gen_require(` - type ipsec_mgmt_t; - ') - - allow $1 ipsec_mgmt_t:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_kill_mgmt'($*)) dnl - ') - - -###################################### -## -## Send and receive messages from -## ipsec-mgmt over dbus. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_mgmt_dbus_chat',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_mgmt_dbus_chat'($*)) dnl - - gen_require(` - type ipsec_mgmt_t; - class dbus send_msg; - ') - - allow $1 ipsec_mgmt_t:dbus send_msg; - allow ipsec_mgmt_t $1:dbus send_msg; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_mgmt_dbus_chat'($*)) dnl - ') - - -######################################## -## -## Read the IPSEC configuration -## -## -## -## Domain allowed access. -## -## -## -# - define(`ipsec_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_read_config'($*)) dnl - - gen_require(` - type ipsec_conf_file_t; - ') - - files_search_etc($1) - allow $1 ipsec_conf_file_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_read_config'($*)) dnl - ') - - -######################################## -## -## Match the default SPD entry. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_match_default_spd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_match_default_spd'($*)) dnl - - gen_require(` - type ipsec_spd_t; - ') - - allow $1 ipsec_spd_t:association polmatch; - allow $1 self:association sendto; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_match_default_spd'($*)) dnl - ') - - -######################################## -## -## Set the context of a SPD entry to -## the default context. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_setcontext_default_spd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_setcontext_default_spd'($*)) dnl - - gen_require(` - type ipsec_spd_t; - ') - - allow $1 ipsec_spd_t:association setcontext; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_setcontext_default_spd'($*)) dnl - ') - - -######################################## -## -## write the ipsec_runtime_t files. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_write_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_write_pid'($*)) dnl - - gen_require(` - type ipsec_runtime_t; - ') - - files_search_pids($1) - write_files_pattern($1, ipsec_runtime_t, ipsec_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_write_pid'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete the IPSEC pid files. -## -## -## -## Domain allowed access. -## -## -# - define(`ipsec_manage_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_manage_pid'($*)) dnl - - gen_require(` - type ipsec_runtime_t; - ') - - files_search_pids($1) - manage_files_pattern($1, ipsec_runtime_t, ipsec_runtime_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_manage_pid'($*)) dnl - ') - - -######################################## -## -## Execute racoon in the racoon domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ipsec_domtrans_racoon',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_racoon'($*)) dnl - - gen_require(` - type racoon_t, racoon_exec_t; - ') - - domtrans_pattern($1, racoon_exec_t, racoon_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_domtrans_racoon'($*)) dnl - ') - - -######################################## -## -## Execute racoon and allow the specified role the domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ipsec_run_racoon',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_run_racoon'($*)) dnl - - gen_require(` - type racoon_t; - ') - - ipsec_domtrans_racoon($1) - role $2 types racoon_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_run_racoon'($*)) dnl - ') - - -######################################## -## -## Execute setkey in the setkey domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`ipsec_domtrans_setkey',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_setkey'($*)) dnl - - gen_require(` - type setkey_t, setkey_exec_t; - ') - - domtrans_pattern($1, setkey_exec_t, setkey_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_domtrans_setkey'($*)) dnl - ') - - -######################################## -## -## Execute setkey and allow the specified role the domains. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access.. -## -## -## -# - define(`ipsec_run_setkey',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_run_setkey'($*)) dnl - - gen_require(` - type setkey_t; - ') - - ipsec_domtrans_setkey($1) - role $2 types setkey_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_run_setkey'($*)) dnl - ') - - -######################################## -## -## All of the rules required to -## administrate an ipsec environment. -## -## -## -## Domain allowed access. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`ipsec_admin',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `ipsec_admin'($*)) dnl - - gen_require(` - type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t; - type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t; - type ipsec_runtime_t, ipsec_mgmt_lock_t; - type ipsec_mgmt_runtime_t, racoon_tmp_t; - type ipsec_unit_t; - ') - - allow $1 ipsec_t:process { ptrace signal_perms }; - ps_process_pattern($1, ipsec_t) - - init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t) - - ipsec_exec_mgmt($1) - ipsec_stream_connect($1) - # for lsof - ipsec_getattr_key_sockets($1) - - files_search_etc($1) - admin_pattern($1, { ipsec_conf_file_t ipsec_key_file_t }) - - files_search_tmp($1) - admin_pattern($1, { ipsec_tmp_t racoon_tmp_t }) - - files_search_pids($1) - admin_pattern($1, { ipsec_runtime_t ipsec_mgmt_runtime_t }) - - files_search_locks($1) - admin_pattern($1, ipsec_mgmt_lock_t) - - logging_search_logs($1) - admin_pattern($1, ipsec_log_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `ipsec_admin'($*)) dnl - ') - -## Policy for SELinux policy and userland applications. - -####################################### -## -## Execute checkpolicy in the checkpolicy domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`seutil_domtrans_checkpolicy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_domtrans_checkpolicy'($*)) dnl - - gen_require(` - type checkpolicy_t, checkpolicy_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_domtrans_checkpolicy'($*)) dnl - ') - - -######################################## -## -## Execute checkpolicy in the checkpolicy domain, and -## allow the specified role the checkpolicy domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`seutil_run_checkpolicy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_run_checkpolicy'($*)) dnl - - gen_require(` - type checkpolicy_t; - ') - - seutil_domtrans_checkpolicy($1) - role $2 types checkpolicy_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_run_checkpolicy'($*)) dnl - ') - - -######################################## -## -## Execute checkpolicy in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_exec_checkpolicy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_exec_checkpolicy'($*)) dnl - - gen_require(` - type checkpolicy_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, checkpolicy_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_exec_checkpolicy'($*)) dnl - ') - - -####################################### -## -## Execute load_policy in the load_policy domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`seutil_domtrans_loadpolicy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_domtrans_loadpolicy'($*)) dnl - - gen_require(` - type load_policy_t, load_policy_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, load_policy_exec_t, load_policy_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_domtrans_loadpolicy'($*)) dnl - ') - - -######################################## -## -## Execute load_policy in the load_policy domain, and -## allow the specified role the load_policy domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`seutil_run_loadpolicy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_run_loadpolicy'($*)) dnl - - gen_require(` - type load_policy_t; - ') - - seutil_domtrans_loadpolicy($1) - role $2 types load_policy_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_run_loadpolicy'($*)) dnl - ') - - -######################################## -## -## Execute load_policy in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_exec_loadpolicy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_exec_loadpolicy'($*)) dnl - - gen_require(` - type load_policy_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, load_policy_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_exec_loadpolicy'($*)) dnl - ') - - -######################################## -## -## Read the load_policy program file. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_read_loadpolicy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_read_loadpolicy'($*)) dnl - - gen_require(` - type load_policy_exec_t; - ') - - corecmd_search_bin($1) - allow $1 load_policy_exec_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_read_loadpolicy'($*)) dnl - ') - - -####################################### -## -## Execute newrole in the newole domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`seutil_domtrans_newrole',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_domtrans_newrole'($*)) dnl - - gen_require(` - type newrole_t, newrole_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, newrole_exec_t, newrole_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_domtrans_newrole'($*)) dnl - ') - - -######################################## -## -## Execute newrole in the newrole domain, and -## allow the specified role the newrole domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`seutil_run_newrole',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_run_newrole'($*)) dnl - - gen_require(` - attribute_role newrole_roles; - ') - - seutil_domtrans_newrole($1) - roleattribute $2 newrole_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_run_newrole'($*)) dnl - ') - - -######################################## -## -## Execute newrole in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_exec_newrole',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_exec_newrole'($*)) dnl - - gen_require(` - type newrole_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, newrole_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_exec_newrole'($*)) dnl - ') - - -######################################## -## -## Do not audit the caller attempts to send -## a signal to newrole. -## -## -## -## Domain to not audit. -## -## -# - define(`seutil_dontaudit_signal_newrole',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_signal_newrole'($*)) dnl - - gen_require(` - type newrole_t; - ') - - dontaudit $1 newrole_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_dontaudit_signal_newrole'($*)) dnl - ') - - -######################################## -## -## Send a SIGCHLD signal to newrole. -## -## -##

-## Allow the specified domain to send a SIGCHLD -## signal to newrole. This signal is automatically -## sent from a process that is terminating to -## its parent. This may be needed by domains -## that are executed from newrole. -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_sigchld_newrole',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_sigchld_newrole'($*)) dnl - - gen_require(` - type newrole_t; - ') - - allow $1 newrole_t:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_sigchld_newrole'($*)) dnl - ') - - -######################################## -## -## Inherit and use newrole file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_use_newrole_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_use_newrole_fds'($*)) dnl - - gen_require(` - type newrole_t; - ') - - allow $1 newrole_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_use_newrole_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit and use -## newrole file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`seutil_dontaudit_use_newrole_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_use_newrole_fds'($*)) dnl - - gen_require(` - type newrole_t; - ') - - dontaudit $1 newrole_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_dontaudit_use_newrole_fds'($*)) dnl - ') - - -######################################## -## -## Execute run_init in the run_init domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`seutil_domtrans_runinit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_domtrans_runinit'($*)) dnl - - gen_require(` - type run_init_t, run_init_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, run_init_exec_t, run_init_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_domtrans_runinit'($*)) dnl - ') - - -######################################## -## -## Execute file in the run_init domain. -## -## -##

-## Execute file in the run_init domain. -## This is used for the Gentoo integrated run_init. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Type of entry file. -## -## -# - define(`seutil_labeled_init_script_domtrans_runinit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_labeled_init_script_domtrans_runinit'($*)) dnl - - gen_require(` - type run_init_t; - ') - - domain_entry_file(run_init_t, $2) - domain_auto_transition_pattern($1, $2, run_init_t) - - allow run_init_t $1:fd use; - allow run_init_t $1:fifo_file rw_file_perms; - allow run_init_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_labeled_init_script_domtrans_runinit'($*)) dnl - ') - - -######################################## -## -## Execute init scripts in the run_init domain. -## -## -##

-## Execute init scripts in the run_init domain. -## This is used for the Gentoo integrated run_init. -##

-## -## -## -## Domain allowed to transition. -## -## -# - define(`seutil_init_script_domtrans_runinit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_init_script_domtrans_runinit'($*)) dnl - - gen_require(` - type run_init_t; - ') - - init_script_file_domtrans($1, run_init_t) - - allow run_init_t $1:fd use; - allow run_init_t $1:fifo_file rw_file_perms; - allow run_init_t $1:process sigchld; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_init_script_domtrans_runinit'($*)) dnl - ') - - -######################################## -## -## Execute run_init in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`seutil_run_runinit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_run_runinit'($*)) dnl - - gen_require(` - attribute_role run_init_roles; - ') - - seutil_domtrans_runinit($1) - roleattribute $2 run_init_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_run_runinit'($*)) dnl - ') - - -######################################## -## -## Execute init scripts in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -## -## -##

-## Execute init scripts in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -##

-##

-## This is used for the Gentoo integrated run_init. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -# - define(`seutil_init_script_run_runinit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_init_script_run_runinit'($*)) dnl - - gen_require(` - attribute_role run_init_roles; - ') - - seutil_init_script_domtrans_runinit($1) - roleattribute $2 run_init_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_init_script_run_runinit'($*)) dnl - ') - - -######################################## -## -## Execute specified file in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -## -## -##

-## Execute specified file in the run_init domain, and -## allow the specified role the run_init domain, -## and use the caller's terminal. -##

-##

-## This is used for the Gentoo integrated run_init. -##

-## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -## -## Type of init script. -## -## -# - define(`seutil_labeled_init_script_run_runinit',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_labeled_init_script_run_runinit'($*)) dnl - - gen_require(` - attribute_role run_init_roles; - ') - - seutil_labeled_init_script_domtrans_runinit($1, $3) - roleattribute $2 run_init_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_labeled_init_script_run_runinit'($*)) dnl - ') - - -######################################## -## -## Inherit and use run_init file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_use_runinit_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_use_runinit_fds'($*)) dnl - - gen_require(` - type run_init_t; - ') - - allow $1 run_init_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_use_runinit_fds'($*)) dnl - ') - - -######################################## -## -## Execute setfiles in the setfiles domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`seutil_domtrans_setfiles',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_domtrans_setfiles'($*)) dnl - - gen_require(` - type setfiles_t, setfiles_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, setfiles_exec_t, setfiles_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_domtrans_setfiles'($*)) dnl - ') - - -######################################## -## -## Execute setfiles in the setfiles domain, and -## allow the specified role the setfiles domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`seutil_run_setfiles',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_run_setfiles'($*)) dnl - - gen_require(` - type setfiles_t; - ') - - seutil_domtrans_setfiles($1) - role $2 types setfiles_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_run_setfiles'($*)) dnl - ') - - -######################################## -## -## Execute setfiles in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_exec_setfiles',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_exec_setfiles'($*)) dnl - - gen_require(` - type setfiles_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, setfiles_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_exec_setfiles'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the SELinux -## configuration directory (/etc/selinux). -## -## -## -## Domain to not audit. -## -## -# - define(`seutil_dontaudit_search_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_search_config'($*)) dnl - - gen_require(` - type selinux_config_t; - ') - - dontaudit $1 selinux_config_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_dontaudit_search_config'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the SELinux -## userland configuration (/etc/selinux). -## -## -## -## Domain to not audit. -## -## -# - define(`seutil_dontaudit_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_config'($*)) dnl - - gen_require(` - type selinux_config_t; - ') - - dontaudit $1 selinux_config_t:dir search_dir_perms; - dontaudit $1 selinux_config_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_config'($*)) dnl - ') - - -######################################## -## -## Read the general SELinux configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_read_config'($*)) dnl - - gen_require(` - type selinux_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir list_dir_perms; - read_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_read_config'($*)) dnl - ') - - -######################################## -## -## Read and write the general SELinux configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_rw_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_rw_config'($*)) dnl - - gen_require(` - type selinux_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir list_dir_perms; - rw_files_pattern($1, selinux_config_t, selinux_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_rw_config'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## the general selinux configuration files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_manage_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_manage_config'($*)) dnl - - gen_require(` - type selinux_config_t; - ') - - files_search_etc($1) - manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_manage_config'($*)) dnl - ') - - -####################################### -## -## Create, read, write, and delete -## the general selinux configuration directories. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_manage_config_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_manage_config_dirs'($*)) dnl - - gen_require(` - type selinux_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_manage_config_dirs'($*)) dnl - ') - - -######################################## -## -## Search the policy directory with default_context files. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_search_default_contexts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_search_default_contexts'($*)) dnl - - gen_require(` - type selinux_config_t, default_context_t; - ') - - files_search_etc($1) - search_dirs_pattern($1, selinux_config_t, default_context_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_search_default_contexts'($*)) dnl - ') - - -######################################## -## -## Read the default_contexts files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_read_default_contexts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_read_default_contexts'($*)) dnl - - gen_require(` - type selinux_config_t, default_context_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, selinux_config_t, default_context_t) - read_files_pattern($1, default_context_t, default_context_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_read_default_contexts'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete the default_contexts files. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_manage_default_contexts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_manage_default_contexts'($*)) dnl - - gen_require(` - type selinux_config_t, default_context_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - manage_files_pattern($1, default_context_t, default_context_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_manage_default_contexts'($*)) dnl - ') - - -######################################## -## -## Read the file_contexts files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_read_file_contexts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_read_file_contexts'($*)) dnl - - gen_require(` - type selinux_config_t, default_context_t, file_context_t; - ') - - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - read_files_pattern($1, file_context_t, file_context_t) - allow $1 file_context_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_read_file_contexts'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the file_contexts files. -## -## -## -## Domain to not audit. -## -## -## -# - define(`seutil_dontaudit_read_file_contexts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_file_contexts'($*)) dnl - - gen_require(` - type selinux_config_t, default_context_t, file_context_t; - ') - - dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; - dontaudit $1 file_context_t:file read_file_perms; - dontaudit $1 file_context_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_file_contexts'($*)) dnl - ') - - -######################################## -## -## Read and write the file_contexts files. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_rw_file_contexts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_rw_file_contexts'($*)) dnl - - gen_require(` - type selinux_config_t, file_context_t, default_context_t; - ') - - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - rw_files_pattern($1, file_context_t, file_context_t) - allow $1 file_context_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_rw_file_contexts'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete the file_contexts files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_manage_file_contexts',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_manage_file_contexts'($*)) dnl - - gen_require(` - type selinux_config_t, file_context_t, default_context_t; - ') - - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - manage_files_pattern($1, file_context_t, file_context_t) - allow $1 file_context_t:file map; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_manage_file_contexts'($*)) dnl - ') - - -######################################## -## -## Read the SELinux binary policy. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_read_bin_policy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_read_bin_policy'($*)) dnl - - gen_require(` - type selinux_config_t, policy_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - read_files_pattern($1, policy_config_t, policy_config_t) - allow $1 policy_config_t:file map; - - ifdef(`distro_gentoo',` - # Allow sesearch to read /etc/selinux/.../policy - # Otherwise it returns "No default policy found" - allow $1 policy_config_t:dir list_dir_perms; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_read_bin_policy'($*)) dnl - ') - - -######################################## -## -## Create the SELinux binary policy. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_create_bin_policy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_create_bin_policy'($*)) dnl - - gen_require(` -# attribute can_write_binary_policy; - type selinux_config_t, policy_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - create_files_pattern($1, policy_config_t, policy_config_t) - write_files_pattern($1, policy_config_t, policy_config_t) -# typeattribute $1 can_write_binary_policy; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_create_bin_policy'($*)) dnl - ') - - -######################################## -## -## Allow the caller to relabel a file to the binary policy type. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_relabelto_bin_policy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_relabelto_bin_policy'($*)) dnl - - gen_require(` - attribute can_relabelto_binary_policy; - type policy_config_t; - ') - - allow $1 policy_config_t:file relabelto; - typeattribute $1 can_relabelto_binary_policy; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_relabelto_bin_policy'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete the SELinux -## binary policy. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_manage_bin_policy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_manage_bin_policy'($*)) dnl - - gen_require(` - attribute can_write_binary_policy; - type selinux_config_t, policy_config_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - manage_files_pattern($1, policy_config_t, policy_config_t) - typeattribute $1 can_write_binary_policy; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_manage_bin_policy'($*)) dnl - ') - - -######################################## -## -## Read SELinux policy source files. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_read_src_policy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_read_src_policy'($*)) dnl - - gen_require(` - type selinux_config_t, policy_src_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, selinux_config_t, policy_src_t) - read_files_pattern($1, policy_src_t, policy_src_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_read_src_policy'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete SELinux -## policy source files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`seutil_manage_src_policy',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_manage_src_policy'($*)) dnl - - gen_require(` - type selinux_config_t, policy_src_t; - ') - - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - manage_dirs_pattern($1, policy_src_t, policy_src_t) - manage_files_pattern($1, policy_src_t, policy_src_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_manage_src_policy'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run semanage. -## -## -## -## Domain allowed to transition. -## -## -# - define(`seutil_domtrans_semanage',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_domtrans_semanage'($*)) dnl - - gen_require(` - type semanage_t, semanage_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, semanage_exec_t, semanage_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_domtrans_semanage'($*)) dnl - ') - - -######################################## -## -## Execute semanage in the semanage domain, and -## allow the specified role the semanage domain, -## and use the caller's terminal. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# - define(`seutil_run_semanage',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_run_semanage'($*)) dnl - - gen_require(` - attribute_role semanage_roles; - ') - - seutil_domtrans_semanage($1) - roleattribute $2 semanage_roles; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_run_semanage'($*)) dnl - ') - - -######################################## -## -## Read the semanage module store. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_read_module_store',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_read_module_store'($*)) dnl - - gen_require(` - type selinux_config_t, semanage_store_t; - ') - - files_search_etc($1) - files_search_var($1) - list_dirs_pattern($1, selinux_config_t, semanage_store_t) - list_dirs_pattern($1, semanage_store_t, semanage_store_t) - read_files_pattern($1, semanage_store_t, semanage_store_t) - allow $1 semanage_store_t:file map; - read_lnk_files_pattern($1, semanage_store_t, semanage_store_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_read_module_store'($*)) dnl - ') - - -######################################## -## -## Full management of the semanage -## module store. -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_manage_module_store',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_manage_module_store'($*)) dnl - - gen_require(` - type selinux_config_t, semanage_store_t; - ') - - files_search_etc($1) - files_search_var($1) - manage_dirs_pattern($1, selinux_config_t, semanage_store_t) - manage_dirs_pattern($1, semanage_store_t, semanage_store_t) - manage_files_pattern($1, semanage_store_t, semanage_store_t) - allow $1 semanage_store_t:file map; - manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_manage_module_store'($*)) dnl - ') - - -####################################### -## -## Get read lock on module store -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_get_semanage_read_lock',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_get_semanage_read_lock'($*)) dnl - - gen_require(` - type selinux_config_t, semanage_read_lock_t; - ') - - files_search_etc($1) - rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_get_semanage_read_lock'($*)) dnl - ') - - -####################################### -## -## Get trans lock on module store -## -## -## -## Domain allowed access. -## -## -# - define(`seutil_get_semanage_trans_lock',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_get_semanage_trans_lock'($*)) dnl - - gen_require(` - type selinux_config_t, semanage_trans_lock_t; - ') - - files_search_etc($1) - rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_get_semanage_trans_lock'($*)) dnl - ') - - -######################################## -## -## SELinux-enabled program access for -## libselinux-linked programs. -## -## -##

-## SELinux-enabled programs are typically -## linked to the libselinux library. This -## interface will allow access required for -## the libselinux constructor to function. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`seutil_libselinux_linked',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_libselinux_linked'($*)) dnl - - selinux_get_fs_mount($1) - seutil_read_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_libselinux_linked'($*)) dnl - ') - - -######################################## -## -## Do not audit SELinux-enabled program access for -## libselinux-linked programs. -## -## -##

-## SELinux-enabled programs are typically -## linked to the libselinux library. This -## interface will dontaudit access required for -## the libselinux constructor to function. -##

-##

-## Generally this should not be used on anything -## but simple SELinux-enabled programs that do not -## rely on data initialized by the libselinux -## constructor. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`seutil_dontaudit_libselinux_linked',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_libselinux_linked'($*)) dnl - - selinux_dontaudit_get_fs_mount($1) - seutil_dontaudit_read_config($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `seutil_dontaudit_libselinux_linked'($*)) dnl - ') - -## Policy for user executable applications. - -######################################## -## -## Make the specified type usable as an application domain. -## -## -## -## Type to be used as a domain type. -## -## -# - define(`application_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_type'($*)) dnl - - gen_require(` - attribute application_domain_type; - ') - - typeattribute $1 application_domain_type; - - # start with basic domain - domain_type($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_type'($*)) dnl - ') - - -######################################## -## -## Make the specified type usable for files -## that are exectuables, such as binary programs. -## This does not include shared libraries. -## -## -## -## Type to be used for files. -## -## -# - define(`application_executable_file',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_executable_file'($*)) dnl - - gen_require(` - attribute application_exec_type; - ') - - typeattribute $1 application_exec_type; - - corecmd_executable_file($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_executable_file'($*)) dnl - ') - - -######################################## -## -## Execute application executables in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`application_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_exec'($*)) dnl - - gen_require(` - attribute application_exec_type; - ') - - can_exec($1, application_exec_type) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_exec'($*)) dnl - ') - - -######################################## -## -## Execute all executable files. -## -## -## -## Domain allowed access. -## -## -## -# - define(`application_exec_all',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_exec_all'($*)) dnl - - corecmd_dontaudit_exec_all_executables($1) - corecmd_exec_bin($1) - corecmd_exec_shell($1) - corecmd_exec_chroot($1) - - application_exec($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_exec_all'($*)) dnl - ') - - -######################################## -## -## Create a domain for applications. -## -## -##

-## Create a domain for applications. Typically these are -## programs that are run interactively. -##

-##

-## The types will be made usable as a domain and file, making -## calls to domain_type() and files_type() redundant. -##

-## -## -## -## Type to be used as an application domain. -## -## -## -## -## Type of the program to be used as an entry point to this domain. -## -## -## -# - define(`application_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_domain'($*)) dnl - - application_type($1) - application_executable_file($2) - domain_entry_file($1, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_domain'($*)) dnl - ') - - -######################################## -## -## Send null signals to all application domains. -## -## -## -## Domain allowed access. -## -## -# - define(`application_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_signull'($*)) dnl - - gen_require(` - attribute application_domain_type; - ') - - allow $1 application_domain_type:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_signull'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send null signals -## to all application domains. -## -## -## -## Domain to not audit. -## -## -# - define(`application_dontaudit_signull',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_dontaudit_signull'($*)) dnl - - gen_require(` - attribute application_domain_type; - ') - - dontaudit $1 application_domain_type:process signull; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_dontaudit_signull'($*)) dnl - ') - - -######################################## -## -## Send general signals to all application domains. -## -## -## -## Domain allowed access. -## -## -# - define(`application_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_signal'($*)) dnl - - gen_require(` - attribute application_domain_type; - ') - - allow $1 application_domain_type:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_signal'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send general signals -## to all application domains. -## -## -## -## Domain to not audit. -## -## -# - define(`application_dontaudit_signal',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_dontaudit_signal'($*)) dnl - - gen_require(` - attribute application_domain_type; - ') - - dontaudit $1 application_domain_type:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_dontaudit_signal'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to send kill signals -## to all application domains. -## -## -## -## Domain to not audit. -## -## -# - define(`application_dontaudit_sigkill',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `application_dontaudit_sigkill'($*)) dnl - - gen_require(` - attribute application_domain_type; - ') - - dontaudit $1 application_domain_type:process sigkill; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `application_dontaudit_sigkill'($*)) dnl - ') - -## Common policy for authentication and user login. - -######################################## -## -## Role access for password authentication. -## -## -## -## Role allowed access. -## -## -## -## -## Domain allowed access. -## -## -# - define(`auth_role',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_role'($*)) dnl - - gen_require(` - type chkpwd_t, chkpwd_exec_t, shadow_t; - ') - - role $1 types chkpwd_t; - - # Transition from the user domain to this domain. - domtrans_pattern($2, chkpwd_exec_t, chkpwd_t) - - ps_process_pattern($2, chkpwd_t) - - dontaudit $2 shadow_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_role'($*)) dnl - ') - - -######################################## -## -## Use PAM for authentication. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_use_pam',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_use_pam'($*)) dnl - - - # for SSP/ProPolice - dev_read_urand($1) - # for encrypted homedir - dev_read_sysfs($1) - - auth_create_faillog_files($1) - auth_domtrans_chk_passwd($1) - auth_domtrans_upd_passwd($1) - auth_dontaudit_read_shadow($1) - auth_rw_lastlog($1) - auth_rw_faillog($1) - auth_rw_login_records($1) - auth_setattr_faillog_files($1) - auth_exec_pam($1) - auth_use_nsswitch($1) - - logging_send_audit_msgs($1) - logging_send_syslog_msg($1) - - optional_policy(` - dbus_system_bus_client($1) - - optional_policy(` - consolekit_dbus_chat($1) - ') - - optional_policy(` - fprintd_dbus_chat($1) - ') - ') - - optional_policy(` - kerberos_manage_host_rcache($1) - kerberos_read_config($1) - ') - - optional_policy(` - nis_authenticate($1) - ') - - ifdef(`distro_gentoo',` - # pam_unix.so only calls unix_chkpwd if geteuid <> 0 or if SELinux is enabled. - # So we need to grant it the proper privileges to check if SELinux is enabled - selinux_getattr_fs($1) - selinux_get_enforce_mode($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_use_pam'($*)) dnl - ') - - -######################################## -## -## Use the pam module systemd during authentication. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_use_pam_systemd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_use_pam_systemd'($*)) dnl - - dbus_system_bus_client($1) - systemd_dbus_chat_logind($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_use_pam_systemd'($*)) dnl - ') - - -######################################## -## -## Use the pam module motd with dynamic support during authentication. -## This module comes from Ubuntu (https://bugs.launchpad.net/ubuntu/+source/pam/+bug/399071) -## and was added to Debian (https://sources.debian.org/src/pam/1.3.1-5/debian/patches-applied/update-motd/) -## -## -## -## Domain allowed access. -## -## -# - define(`auth_use_pam_motd_dynamic',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_use_pam_motd_dynamic'($*)) dnl - - gen_require(` - type pam_motd_runtime_t; - ') - - # Allow pam_motd to run /usr/bin/env and /usr/bin/dash to generate - # /run/motd.dynamic from motd.dynamic.new. - corecmd_exec_bin($1) - corecmd_exec_shell($1) - - allow $1 pam_motd_runtime_t:file manage_file_perms; - files_pid_filetrans($1, pam_motd_runtime_t, file, "motd.dynamic.new") - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_use_pam_motd_dynamic'($*)) dnl - ') - - -######################################## -## -## Make the specified domain used for a login program. -## -## -## -## Domain type used for a login program domain. -## -## -# - define(`auth_login_pgm_domain',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_login_pgm_domain'($*)) dnl - - gen_require(` - type var_auth_t, auth_cache_t; - ') - - domain_type($1) - domain_subj_id_change_exemption($1) - domain_role_change_exemption($1) - domain_obj_id_change_exemption($1) - role system_r types $1; - - # Needed for pam_selinux_permit to cleanup properly - domain_read_all_domains_state($1) - domain_kill_all_domains($1) - - # pam_keyring - allow $1 self:capability ipc_lock; - allow $1 self:process setkeycreate; - allow $1 self:key manage_key_perms; - - files_list_var_lib($1) - manage_files_pattern($1, var_auth_t, var_auth_t) - - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) - manage_files_pattern($1, auth_cache_t, auth_cache_t) - manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) - files_var_filetrans($1, auth_cache_t, dir) - - # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 - kernel_rw_afs_state($1) - - # for fingerprint readers - dev_rw_input_dev($1) - dev_rw_generic_usb_dev($1) - - files_read_etc_files($1) - - fs_list_auto_mountpoints($1) - - selinux_get_fs_mount($1) - selinux_validate_context($1) - selinux_compute_access_vector($1) - selinux_compute_create_context($1) - selinux_compute_relabel_context($1) - selinux_compute_user_contexts($1) - - mls_file_read_all_levels($1) - mls_file_write_all_levels($1) - mls_file_upgrade($1) - mls_file_downgrade($1) - mls_process_set_level($1) - mls_fd_share_all_levels($1) - - auth_use_pam($1) - - init_rw_utmp($1) - - logging_set_loginuid($1) - logging_set_tty_audit($1) - - seutil_read_config($1) - seutil_read_default_contexts($1) - - userdom_search_user_runtime($1) - userdom_read_user_tmpfs_files($1) - - tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all($1) - ') - - optional_policy(` - systemd_read_logind_state($1) - systemd_write_inherited_logind_sessions_pipes($1) - systemd_use_passwd_agent_fds($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_login_pgm_domain'($*)) dnl - ') - - -######################################## -## -## Use the login program as an entry point program. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_login_entry_type',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_login_entry_type'($*)) dnl - - gen_require(` - type login_exec_t; - ') - - domain_entry_file($1, login_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_login_entry_type'($*)) dnl - ') - - -######################################## -## -## Execute a login_program in the target domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the login_program process. -## -## -# - define(`auth_domtrans_login_program',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_domtrans_login_program'($*)) dnl - - gen_require(` - type login_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, login_exec_t, $2) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_domtrans_login_program'($*)) dnl - ') - - -######################################## -## -## Execute a login_program in the target domain, -## with a range transition. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The type of the login_program process. -## -## -## -## -## Range of the login program. -## -## -# - define(`auth_ranged_domtrans_login_program',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_ranged_domtrans_login_program'($*)) dnl - - gen_require(` - type login_exec_t; - ') - - auth_domtrans_login_program($1, $2) - - ifdef(`enable_mcs',` - range_transition $1 login_exec_t:process $3; - ') - - ifdef(`enable_mls',` - range_transition $1 login_exec_t:process $3; - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_ranged_domtrans_login_program'($*)) dnl - ') - - -######################################## -## -## Search authentication cache -## -## -## -## Domain allowed access. -## -## -# - define(`auth_search_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_search_cache'($*)) dnl - - gen_require(` - type auth_cache_t; - ') - - allow $1 auth_cache_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_search_cache'($*)) dnl - ') - - -######################################## -## -## Read authentication cache -## -## -## -## Domain allowed access. -## -## -# - define(`auth_read_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_read_cache'($*)) dnl - - gen_require(` - type auth_cache_t; - ') - - read_files_pattern($1, auth_cache_t, auth_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_read_cache'($*)) dnl - ') - - -######################################## -## -## Read/Write authentication cache -## -## -## -## Domain allowed access. -## -## -# - define(`auth_rw_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_rw_cache'($*)) dnl - - gen_require(` - type auth_cache_t; - ') - - rw_files_pattern($1, auth_cache_t, auth_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_rw_cache'($*)) dnl - ') - - -######################################## -## -## Manage authentication cache -## -## -## -## Domain allowed access. -## -## -# - define(`auth_manage_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_manage_cache'($*)) dnl - - gen_require(` - type auth_cache_t; - ') - - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) - manage_files_pattern($1, auth_cache_t, auth_cache_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_manage_cache'($*)) dnl - ') - - -####################################### -## -## Automatic transition from cache_t to cache. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_var_filetrans_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_var_filetrans_cache'($*)) dnl - - gen_require(` - type auth_cache_t; - ') - - files_var_filetrans($1, auth_cache_t, { file dir } ) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_var_filetrans_cache'($*)) dnl - ') - - -######################################## -## -## Run unix_chkpwd to check a password. -## -## -## -## Domain allowed to transition. -## -## -# - define(`auth_domtrans_chk_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_domtrans_chk_passwd'($*)) dnl - - gen_require(` - type chkpwd_t, chkpwd_exec_t, shadow_t; - type auth_cache_t; - ') - - allow $1 auth_cache_t:dir search_dir_perms; - - corecmd_search_bin($1) - domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) - - dontaudit $1 shadow_t:file read_file_perms; - - dev_read_rand($1) - dev_read_urand($1) - - auth_use_nsswitch($1) - auth_rw_faillog($1) - - logging_send_audit_msgs($1) - - miscfiles_read_generic_certs($1) - - optional_policy(` - kerberos_read_keytab($1) - ') - - optional_policy(` - pcscd_read_pid_files($1) - pcscd_stream_connect($1) - ') - - optional_policy(` - samba_stream_connect_winbind($1) - ') - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_domtrans_chk_passwd'($*)) dnl - ') - - -######################################## -## -## Run unix_chkpwd to check a password. -## Stripped down version to be called within boolean -## -## -## -## Domain allowed to transition. -## -## -# - define(`auth_domtrans_chkpwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_domtrans_chkpwd'($*)) dnl - - gen_require(` - type chkpwd_t, chkpwd_exec_t, shadow_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) - dontaudit $1 shadow_t:file { getattr read }; - auth_domtrans_upd_passwd($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_domtrans_chkpwd'($*)) dnl - ') - - -######################################## -## -## Execute chkpwd programs in the chkpwd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the chkpwd domain. -## -## -# - define(`auth_run_chk_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_run_chk_passwd'($*)) dnl - - gen_require(` - type chkpwd_t; - ') - - auth_domtrans_chk_passwd($1) - role $2 types chkpwd_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_run_chk_passwd'($*)) dnl - ') - - -######################################## -## -## Execute a domain transition to run unix_update. -## -## -## -## Domain allowed to transition. -## -## -# - define(`auth_domtrans_upd_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_domtrans_upd_passwd'($*)) dnl - - gen_require(` - type updpwd_t, updpwd_exec_t; - ') - - domtrans_pattern($1, updpwd_exec_t, updpwd_t) - auth_dontaudit_read_shadow($1) - - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_domtrans_upd_passwd'($*)) dnl - ') - - -######################################## -## -## Execute updpwd programs in the updpwd domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the updpwd domain. -## -## -# - define(`auth_run_upd_passwd',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_run_upd_passwd'($*)) dnl - - gen_require(` - type updpwd_t; - ') - - auth_domtrans_upd_passwd($1) - role $2 types updpwd_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_run_upd_passwd'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the shadow passwords file. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_getattr_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_getattr_shadow'($*)) dnl - - gen_require(` - type shadow_t; - ') - - files_search_etc($1) - allow $1 shadow_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_getattr_shadow'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to get the attributes -## of the shadow passwords file. -## -## -## -## Domain to not audit. -## -## -# - define(`auth_dontaudit_getattr_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_dontaudit_getattr_shadow'($*)) dnl - - gen_require(` - type shadow_t; - ') - - dontaudit $1 shadow_t:file getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_dontaudit_getattr_shadow'($*)) dnl - ') - - -######################################## -## -## Read the shadow passwords file (/etc/shadow) -## -## -## -## Domain allowed access. -## -## -# -# cjp: these next three interfaces are split -# since typeattribute does not work in conditionals -# yet, otherwise they should be one interface. -# - define(`auth_read_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_read_shadow'($*)) dnl - - auth_can_read_shadow_passwords($1) - auth_tunable_read_shadow($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_read_shadow'($*)) dnl - ') - - -######################################## -## -## Pass shadow assertion for reading. -## -## -##

-## Pass shadow assertion for reading. -## This should only be used with -## auth_tunable_read_shadow(), and -## only exists because typeattribute -## does not work in conditionals. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`auth_can_read_shadow_passwords',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_can_read_shadow_passwords'($*)) dnl - - gen_require(` - attribute can_read_shadow_passwords; - ') - - typeattribute $1 can_read_shadow_passwords; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_can_read_shadow_passwords'($*)) dnl - ') - - -######################################## -## -## Read the shadow password file. -## -## -##

-## Read the shadow password file. This -## should only be used in a conditional; -## it does not pass the reading shadow -## assertion. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`auth_tunable_read_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_tunable_read_shadow'($*)) dnl - - gen_require(` - type shadow_t; - ') - - files_list_etc($1) - allow $1 shadow_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_tunable_read_shadow'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read the shadow -## password file (/etc/shadow). -## -## -## -## Domain to not audit. -## -## -# - define(`auth_dontaudit_read_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_shadow'($*)) dnl - - gen_require(` - type shadow_t; - ') - - dontaudit $1 shadow_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_shadow'($*)) dnl - ') - - -######################################## -## -## Read and write the shadow password file (/etc/shadow). -## -## -## -## Domain allowed access. -## -## -# - define(`auth_rw_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_rw_shadow'($*)) dnl - - gen_require(` - attribute can_read_shadow_passwords, can_write_shadow_passwords; - type shadow_t; - ') - - files_list_etc($1) - allow $1 shadow_t:file rw_file_perms; - typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_rw_shadow'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete the shadow -## password file. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_manage_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_manage_shadow'($*)) dnl - - gen_require(` - attribute can_read_shadow_passwords, can_write_shadow_passwords; - type shadow_t; - ') - - allow $1 shadow_t:file manage_file_perms; - typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_manage_shadow'($*)) dnl - ') - - -####################################### -## -## Automatic transition from etc to shadow. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_etc_filetrans_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_etc_filetrans_shadow'($*)) dnl - - gen_require(` - type shadow_t; - ') - - files_etc_filetrans($1, shadow_t, file) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_etc_filetrans_shadow'($*)) dnl - ') - - -####################################### -## -## Relabel to the shadow -## password file type. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_relabelto_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_relabelto_shadow'($*)) dnl - - gen_require(` - attribute can_relabelto_shadow_passwords; - type shadow_t; - ') - - files_search_etc($1) - allow $1 shadow_t:file relabelto; - typeattribute $1 can_relabelto_shadow_passwords; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_relabelto_shadow'($*)) dnl - ') - - -####################################### -## -## Relabel from and to the shadow -## password file type. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_relabel_shadow',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_relabel_shadow'($*)) dnl - - gen_require(` - attribute can_relabelto_shadow_passwords; - type shadow_t; - ') - - files_search_etc($1) - allow $1 shadow_t:file relabel_file_perms; - typeattribute $1 can_relabelto_shadow_passwords; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_relabel_shadow'($*)) dnl - ') - - -####################################### -## -## Append to the login failure log. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_append_faillog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_append_faillog'($*)) dnl - - gen_require(` - type faillog_t; - ') - - logging_search_logs($1) - allow $1 faillog_t:file append_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_append_faillog'($*)) dnl - ') - - -######################################## -## -## Create fail log lock (in /run/faillock). -## -## -## -## Domain allowed access. -## -## -# - define(`auth_create_faillog_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_create_faillog_files'($*)) dnl - - gen_require(` - type faillog_t; - ') - - create_files_pattern($1, faillog_t, faillog_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_create_faillog_files'($*)) dnl - ') - - -######################################## -## -## Read and write the login failure log. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_rw_faillog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_rw_faillog'($*)) dnl - - gen_require(` - type faillog_t; - ') - - logging_search_logs($1) - allow $1 faillog_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_rw_faillog'($*)) dnl - ') - - -######################################## -## -## Manage the login failure logs. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_manage_faillog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_manage_faillog'($*)) dnl - - gen_require(` - type faillog_t; - ') - - allow $1 faillog_t:file manage_file_perms; - logging_rw_generic_log_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_manage_faillog'($*)) dnl - ') - - -######################################## -## -## Setattr the login failure logs. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_setattr_faillog_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_setattr_faillog_files'($*)) dnl - - gen_require(` - type faillog_t; - ') - - setattr_files_pattern($1, faillog_t, faillog_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_setattr_faillog_files'($*)) dnl - ') - - -####################################### -## -## Read the last logins log. -## -## -## -## Domain allowed access. -## -## -## -# - define(`auth_read_lastlog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_read_lastlog'($*)) dnl - - gen_require(` - type lastlog_t; - ') - - logging_search_logs($1) - allow $1 lastlog_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_read_lastlog'($*)) dnl - ') - - -####################################### -## -## Append only to the last logins log. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_append_lastlog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_append_lastlog'($*)) dnl - - gen_require(` - type lastlog_t; - ') - - logging_search_logs($1) - allow $1 lastlog_t:file { append_file_perms lock }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_append_lastlog'($*)) dnl - ') - - -####################################### -## -## relabel the last logins log. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_relabel_lastlog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_relabel_lastlog'($*)) dnl - - gen_require(` - type lastlog_t; - ') - - logging_search_logs($1) - allow $1 lastlog_t:file { relabelfrom relabelto }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_relabel_lastlog'($*)) dnl - ') - - -####################################### -## -## Read and write to the last logins log. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_rw_lastlog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_rw_lastlog'($*)) dnl - - gen_require(` - type lastlog_t; - ') - - logging_search_logs($1) - allow $1 lastlog_t:file { rw_file_perms lock setattr }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_rw_lastlog'($*)) dnl - ') - - -######################################## -## -## Manage the last logins log. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_manage_lastlog',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_manage_lastlog'($*)) dnl - - gen_require(` - type lastlog_t; - ') - - allow $1 lastlog_t:file manage_file_perms; - logging_rw_generic_log_dirs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_manage_lastlog'($*)) dnl - ') - - -######################################## -## -## Execute pam programs in the pam domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`auth_domtrans_pam',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam'($*)) dnl - - gen_require(` - type pam_t, pam_exec_t; - ') - - domtrans_pattern($1, pam_exec_t, pam_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_domtrans_pam'($*)) dnl - ') - - -######################################## -## -## Send generic signals to pam processes. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_signal_pam',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_signal_pam'($*)) dnl - - gen_require(` - type pam_t; - ') - - allow $1 pam_t:process signal; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_signal_pam'($*)) dnl - ') - - -######################################## -## -## Execute pam programs in the PAM domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the PAM domain. -## -## -# - define(`auth_run_pam',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_run_pam'($*)) dnl - - gen_require(` - type pam_t; - ') - - auth_domtrans_pam($1) - role $2 types pam_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_run_pam'($*)) dnl - ') - - -######################################## -## -## Execute the pam program. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_exec_pam',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_exec_pam'($*)) dnl - - gen_require(` - type pam_exec_t; - ') - - can_exec($1, pam_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_exec_pam'($*)) dnl - ') - - -######################################## -## -## Read var auth files. Used by various other applications -## and pam applets etc. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_read_var_auth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_read_var_auth'($*)) dnl - - gen_require(` - type var_auth_t; - ') - - files_search_var($1) - read_files_pattern($1, var_auth_t, var_auth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_read_var_auth'($*)) dnl - ') - - -####################################### -## -## Read and write var auth files. Used by various other applications -## and pam applets etc. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_rw_var_auth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_rw_var_auth'($*)) dnl - - gen_require(` - type var_auth_t; - ') - - files_search_var($1) - rw_files_pattern($1, var_auth_t, var_auth_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_rw_var_auth'($*)) dnl - ') - - -######################################## -## -## Manage var auth files. Used by various other applications -## and pam applets etc. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_manage_var_auth',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_manage_var_auth'($*)) dnl - - gen_require(` - type var_auth_t; - ') - - files_search_var($1) - allow $1 var_auth_t:dir manage_dir_perms; - allow $1 var_auth_t:file rw_file_perms; - allow $1 var_auth_t:lnk_file rw_lnk_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_manage_var_auth'($*)) dnl - ') - - -######################################## -## -## Read PAM PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_read_pam_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_read_pam_pid'($*)) dnl - - gen_require(` - type pam_runtime_t; - ') - - files_search_pids($1) - allow $1 pam_runtime_t:dir list_dir_perms; - allow $1 pam_runtime_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_read_pam_pid'($*)) dnl - ') - - -####################################### -## -## Do not audit attemps to read PAM PID files. -## -## -## -## Domain to not audit. -## -## -# - define(`auth_dontaudit_read_pam_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_pam_pid'($*)) dnl - - gen_require(` - type pam_runtime_t; - ') - - dontaudit $1 pam_runtime_t:file { getattr read }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_pam_pid'($*)) dnl - ') - - -######################################## -## -## Create specified objects in -## pid directories with the pam var -## run file type using a -## file type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`auth_pid_filetrans_pam_var_run',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_pid_filetrans_pam_var_run'($*)) dnl - - gen_require(` - type pam_runtime_t; - ') - - files_pid_filetrans($1, pam_runtime_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_pid_filetrans_pam_var_run'($*)) dnl - ') - - -######################################## -## -## Delete pam PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_delete_pam_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_delete_pam_pid'($*)) dnl - - gen_require(` - type pam_runtime_t; - ') - - files_search_pids($1) - allow $1 pam_runtime_t:dir del_entry_dir_perms; - allow $1 pam_runtime_t:file delete_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_delete_pam_pid'($*)) dnl - ') - - -######################################## -## -## Manage pam PID files. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_manage_pam_pid',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_manage_pam_pid'($*)) dnl - - gen_require(` - type pam_runtime_t; - ') - - files_search_pids($1) - allow $1 pam_runtime_t:dir manage_dir_perms; - allow $1 pam_runtime_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_manage_pam_pid'($*)) dnl - ') - - -######################################## -## -## Execute pam_console with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`auth_domtrans_pam_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam_console'($*)) dnl - - gen_require(` - type pam_console_t, pam_console_exec_t; - ') - - domtrans_pattern($1, pam_console_exec_t, pam_console_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_domtrans_pam_console'($*)) dnl - ') - - -######################################## -## -## Search the contents of the -## pam_console data directory. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_search_pam_console_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_search_pam_console_data'($*)) dnl - - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - allow $1 pam_var_console_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_search_pam_console_data'($*)) dnl - ') - - -######################################## -## -## List the contents of the pam_console -## data directory. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_list_pam_console_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_list_pam_console_data'($*)) dnl - - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - allow $1 pam_var_console_t:dir list_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_list_pam_console_data'($*)) dnl - ') - - -######################################## -## -## Create pam var console pid directories. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_create_pam_console_data_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_create_pam_console_data_dirs'($*)) dnl - - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - allow $1 pam_var_console_t:dir create_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_create_pam_console_data_dirs'($*)) dnl - ') - - -######################################## -## -## Relabel pam_console data directories. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_relabel_pam_console_data_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_relabel_pam_console_data_dirs'($*)) dnl - - gen_require(` - type pam_var_console_t; - ') - - relabel_dirs_pattern($1, pam_var_console_t, pam_var_console_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_relabel_pam_console_data_dirs'($*)) dnl - ') - - -######################################## -## -## Read pam_console data files. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_read_pam_console_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_read_pam_console_data'($*)) dnl - - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - allow $1 pam_var_console_t:dir list_dir_perms; - allow $1 pam_var_console_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_read_pam_console_data'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete -## pam_console data files. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_manage_pam_console_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_manage_pam_console_data'($*)) dnl - - gen_require(` - type pam_var_console_t; - ') - - files_search_pids($1) - manage_files_pattern($1, pam_var_console_t, pam_var_console_t) - manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_manage_pam_console_data'($*)) dnl - ') - - -####################################### -## -## Delete pam_console data. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_delete_pam_console_data',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_delete_pam_console_data'($*)) dnl - - gen_require(` - type pam_var_console_t; - ') - - files_search_var($1) - files_search_pids($1) - delete_files_pattern($1, pam_var_console_t, pam_var_console_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_delete_pam_console_data'($*)) dnl - ') - - -######################################## -## -## Create specified objects in -## pid directories with the pam var -## console pid file type using a -## file type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# - define(`auth_pid_filetrans_pam_var_console',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_pid_filetrans_pam_var_console'($*)) dnl - - gen_require(` - type pam_var_console_t; - ') - - files_pid_filetrans($1, pam_var_console_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_pid_filetrans_pam_var_console'($*)) dnl - ') - - -######################################## -## -## Execute utempter programs in the utempter domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`auth_domtrans_utempter',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_domtrans_utempter'($*)) dnl - - gen_require(` - type utempter_t, utempter_exec_t; - ') - - domtrans_pattern($1, utempter_exec_t, utempter_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_domtrans_utempter'($*)) dnl - ') - - -######################################## -## -## Execute utempter programs in the utempter domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the utempter domain. -## -## -# - define(`auth_run_utempter',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_run_utempter'($*)) dnl - - gen_require(` - type utempter_t; - ') - - auth_domtrans_utempter($1) - role $2 types utempter_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_run_utempter'($*)) dnl - ') - - -####################################### -## -## Do not audit attemps to execute utempter executable. -## -## -## -## Domain to not audit. -## -## -# - define(`auth_dontaudit_exec_utempter',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_dontaudit_exec_utempter'($*)) dnl - - gen_require(` - type utempter_exec_t; - ') - - dontaudit $1 utempter_exec_t:file { execute execute_no_trans }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_dontaudit_exec_utempter'($*)) dnl - ') - - -######################################## -## -## Set the attributes of login record files. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_setattr_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_setattr_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file setattr; - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_setattr_login_records'($*)) dnl - ') - - -######################################## -## -## Read login records files (/var/log/wtmp). -## -## -## -## Domain allowed access. -## -## -## -# - define(`auth_read_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_read_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - logging_search_logs($1) - allow $1 wtmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_read_login_records'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to read login records -## files (/var/log/wtmp). -## -## -## -## Domain to not audit. -## -## -## -# - define(`auth_dontaudit_read_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - dontaudit $1 wtmp_t:file read_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_login_records'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write to -## login records files. -## -## -## -## Domain to not audit. -## -## -# - define(`auth_dontaudit_write_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_dontaudit_write_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - dontaudit $1 wtmp_t:file write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_dontaudit_write_login_records'($*)) dnl - ') - - -####################################### -## -## Append to login records (wtmp). -## -## -## -## Domain allowed access. -## -## -# - define(`auth_append_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_append_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file append_file_perms; - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_append_login_records'($*)) dnl - ') - - -####################################### -## -## Write to login records (wtmp). -## -## -## -## Domain allowed access. -## -## -# - define(`auth_write_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_write_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file { write_file_perms lock }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_write_login_records'($*)) dnl - ') - - -######################################## -## -## Read and write login records. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_rw_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_rw_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file rw_file_perms; - logging_search_logs($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_rw_login_records'($*)) dnl - ') - - -######################################## -## -## Create a login records in the log directory -## using a type transition. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_log_filetrans_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_log_filetrans_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - logging_log_filetrans($1, wtmp_t, file) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_log_filetrans_login_records'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete login -## records files. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_manage_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_manage_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - logging_rw_generic_log_dirs($1) - allow $1 wtmp_t:file manage_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_manage_login_records'($*)) dnl - ') - - -######################################## -## -## Relabel login record files. -## -## -## -## Domain allowed access. -## -## -# - define(`auth_relabel_login_records',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_relabel_login_records'($*)) dnl - - gen_require(` - type wtmp_t; - ') - - allow $1 wtmp_t:file relabel_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_relabel_login_records'($*)) dnl - ') - - -######################################## -## -## Use nsswitch to look up user, password, group, or -## host information. -## -## -##

-## Allow the specified domain to look up user, password, -## group, or host information using the name service. -## The most common use of this interface is for services -## that do host name resolution (usually DNS resolution). -##

-## -## -## -## Domain allowed access. -## -## -## -# - define(`auth_use_nsswitch',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_use_nsswitch'($*)) dnl - - gen_require(` - attribute nsswitch_domain; - ') - - typeattribute $1 nsswitch_domain; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_use_nsswitch'($*)) dnl - ') - - -######################################## -## -## Unconfined access to the authlogin module. -## -## -##

-## Unconfined access to the authlogin module. -##

-##

-## Currently, this only allows assertions for -## the shadow passwords file (/etc/shadow) to -## be passed. No access is granted yet. -##

-## -## -## -## Domain allowed access. -## -## -# - define(`auth_unconfined',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `auth_unconfined'($*)) dnl - - gen_require(` - attribute can_read_shadow_passwords; - attribute can_write_shadow_passwords; - attribute can_relabelto_shadow_passwords; - ') - - typeattribute $1 can_read_shadow_passwords; - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `auth_unconfined'($*)) dnl - ') - -## -## Policy for hotplug system, for supporting the -## connection and disconnection of devices at runtime. -## - -######################################## -## -## Execute hotplug with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# - define(`hotplug_domtrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_domtrans'($*)) dnl - - gen_require(` - type hotplug_t, hotplug_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hotplug_exec_t, hotplug_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_domtrans'($*)) dnl - ') - - -######################################## -## -## Execute hotplug in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`hotplug_exec',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_exec'($*)) dnl - - gen_require(` - type hotplug_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, hotplug_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_exec'($*)) dnl - ') - - -######################################## -## -## Inherit and use hotplug file descriptors. -## -## -## -## Domain allowed access. -## -## -# - define(`hotplug_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_use_fds'($*)) dnl - - gen_require(` - type hotplug_t; - ') - - allow $1 hotplug_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to inherit -## hotplug file descriptors. -## -## -## -## Domain to not audit. -## -## -# - define(`hotplug_dontaudit_use_fds',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_dontaudit_use_fds'($*)) dnl - - gen_require(` - type hotplug_t; - ') - - dontaudit $1 hotplug_t:fd use; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_dontaudit_use_fds'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to search the -## hotplug configuration directories. -## -## -## -## Domain to not audit. -## -## -# - define(`hotplug_dontaudit_search_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_dontaudit_search_config'($*)) dnl - - gen_require(` - type hotplug_etc_t; - ') - - dontaudit $1 hotplug_etc_t:dir search; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_dontaudit_search_config'($*)) dnl - ') - - -######################################## -## -## Get the attributes of the hotplug configuration directory. -## -## -## -## Domain allowed access. -## -## -# - define(`hotplug_getattr_config_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_getattr_config_dirs'($*)) dnl - - gen_require(` - type hotplug_etc_t; - ') - - allow $1 hotplug_etc_t:dir getattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_getattr_config_dirs'($*)) dnl - ') - - -######################################## -## -## Search the hotplug configuration directory. -## -## -## -## Domain allowed access. -## -## -# - define(`hotplug_search_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_search_config'($*)) dnl - - gen_require(` - type hotplug_etc_t; - ') - - allow $1 hotplug_etc_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_search_config'($*)) dnl - ') - - -######################################## -## -## Read the configuration files for hotplug. -## -## -## -## Domain allowed access. -## -## -## -# - define(`hotplug_read_config',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_read_config'($*)) dnl - - gen_require(` - type hotplug_etc_t; - ') - - files_search_etc($1) - allow $1 hotplug_etc_t:dir list_dir_perms; - read_files_pattern($1, hotplug_etc_t, hotplug_etc_t) - read_lnk_files_pattern($1, hotplug_etc_t, hotplug_etc_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_read_config'($*)) dnl - ') - - -######################################## -## -## Search the hotplug PIDs. -## -## -## -## Domain allowed access. -## -## -# - define(`hotplug_search_pids',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `hotplug_search_pids'($*)) dnl - - gen_require(` - type hotplug_runtime_t; - ') - - allow $1 hotplug_runtime_t:dir search_dir_perms; - files_search_pids($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `hotplug_search_pids'($*)) dnl - ') - -## Policy for system libraries. - -######################################## -## -## Execute ldconfig in the ldconfig domain. -## -## -## -## Domain allowed to transition. -## -## -# - define(`libs_domtrans_ldconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_domtrans_ldconfig'($*)) dnl - - gen_require(` - type ldconfig_t, ldconfig_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, ldconfig_exec_t, ldconfig_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_domtrans_ldconfig'($*)) dnl - ') - - -######################################## -## -## Execute ldconfig in the ldconfig domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the ldconfig domain. -## -## -## -# - define(`libs_run_ldconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_run_ldconfig'($*)) dnl - - gen_require(` - type ldconfig_t; - ') - - libs_domtrans_ldconfig($1) - role $2 types ldconfig_t; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_run_ldconfig'($*)) dnl - ') - - -######################################## -## -## Execute ldconfig in the caller domain. -## -## -## -## Domain allowed access. -## -## -## -# - define(`libs_exec_ldconfig',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_exec_ldconfig'($*)) dnl - - gen_require(` - type ldconfig_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, ldconfig_exec_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_exec_ldconfig'($*)) dnl - ') - - -######################################## -## -## Use the dynamic link/loader for automatic loading -## of shared libraries. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_use_ld_so',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_use_ld_so'($*)) dnl - - gen_require(` - type lib_t, ld_so_t, ld_so_cache_t; - ') - - files_list_etc($1) - allow $1 lib_t:dir list_dir_perms; - - read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - mmap_exec_files_pattern($1, lib_t, ld_so_t) - - allow $1 ld_so_cache_t:file { map read_file_perms }; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_use_ld_so'($*)) dnl - ') - - -######################################## -## -## Use the dynamic link/loader for automatic loading -## of shared libraries with legacy support. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_legacy_use_ld_so',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_legacy_use_ld_so'($*)) dnl - - gen_require(` - type ld_so_t, ld_so_cache_t; - ') - - libs_use_ld_so($1) - allow $1 ld_so_t:file execmod; - allow $1 ld_so_cache_t:file execute; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_legacy_use_ld_so'($*)) dnl - ') - - -######################################## -## -## Execute the dynamic link/loader in the caller's domain. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_exec_ld_so',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_exec_ld_so'($*)) dnl - - gen_require(` - type lib_t, ld_so_t; - ') - - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - exec_files_pattern($1, lib_t, ld_so_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_exec_ld_so'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete the -## dynamic link/loader. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`libs_manage_ld_so',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_manage_ld_so'($*)) dnl - - gen_require(` - type lib_t, ld_so_t; - ') - - manage_files_pattern($1, lib_t, ld_so_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_manage_ld_so'($*)) dnl - ') - - -######################################## -## -## Relabel to and from the type used for -## the dynamic link/loader. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`libs_relabel_ld_so',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_relabel_ld_so'($*)) dnl - - gen_require(` - type lib_t, ld_so_t; - ') - - relabel_files_pattern($1, lib_t, ld_so_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_relabel_ld_so'($*)) dnl - ') - - -######################################## -## -## Modify the dynamic link/loader's cached listing -## of shared libraries. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_rw_ld_so_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_rw_ld_so_cache'($*)) dnl - - gen_require(` - type ld_so_cache_t; - ') - - files_list_etc($1) - allow $1 ld_so_cache_t:file rw_file_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_rw_ld_so_cache'($*)) dnl - ') - - -######################################## -## -## Search library directories. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_search_lib',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_search_lib'($*)) dnl - - gen_require(` - type lib_t; - ') - - allow $1 lib_t:dir search_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_search_lib'($*)) dnl - ') - - -######################################## -## -## Do not audit attempts to write to library directories. -## -## -##

-## Do not audit attempts to write to library directories. -## Typically this is used to quiet attempts to recompile -## python byte code. -##

-## -## -## -## Domain to not audit. -## -## -# - define(`libs_dontaudit_write_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_dontaudit_write_lib_dirs'($*)) dnl - - gen_require(` - type lib_t; - ') - - dontaudit $1 lib_t:dir write; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_dontaudit_write_lib_dirs'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete library directories. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_manage_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_manage_lib_dirs'($*)) dnl - - gen_require(` - type lib_t; - ') - - allow $1 lib_t:dir manage_dir_perms; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_manage_lib_dirs'($*)) dnl - ') - - -######################################## -## -## dontaudit attempts to setattr on library files -## -## -## -## Domain to not audit. -## -## -# - define(`libs_dontaudit_setattr_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_dontaudit_setattr_lib_files'($*)) dnl - - gen_require(` - type lib_t; - ') - - dontaudit $1 lib_t:file setattr; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_dontaudit_setattr_lib_files'($*)) dnl - ') - - -######################################## -## -## Read files in the library directories, such -## as static libraries. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_read_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_read_lib_files'($*)) dnl - - gen_require(` - type lib_t; - ') - - files_list_usr($1) - list_dirs_pattern($1, lib_t, lib_t) - read_files_pattern($1, lib_t, lib_t) - read_lnk_files_pattern($1, lib_t, lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_read_lib_files'($*)) dnl - ') - - -######################################## -## -## Execute library scripts in the caller domain. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_exec_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_exec_lib_files'($*)) dnl - - gen_require(` - type lib_t; - ') - - files_search_usr($1) - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1, lib_t, lib_t) - exec_files_pattern($1, lib_t, lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_exec_lib_files'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete generic -## files in library directories. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`libs_manage_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_manage_lib_files'($*)) dnl - - gen_require(` - type lib_t; - ') - - manage_files_pattern($1, lib_t, lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_manage_lib_files'($*)) dnl - ') - - -######################################## -## -## Relabel files to the type used in library directories. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_relabelto_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_relabelto_lib_files'($*)) dnl - - gen_require(` - type lib_t; - ') - - relabelto_files_pattern($1, lib_t, lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_relabelto_lib_files'($*)) dnl - ') - - -######################################## -## -## Relabel to and from the type used -## for generic lib files. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`libs_relabel_lib_files',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_relabel_lib_files'($*)) dnl - - gen_require(` - type lib_t; - ') - - relabel_files_pattern($1, lib_t, lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_relabel_lib_files'($*)) dnl - ') - - -######################################## -## -## Delete generic symlinks in library directories. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`libs_delete_lib_symlinks',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_delete_lib_symlinks'($*)) dnl - - gen_require(` - type lib_t; - ') - - delete_lnk_files_pattern($1, lib_t, lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_delete_lib_symlinks'($*)) dnl - ') - - -######################################## -## -## Create, read, write, and delete shared libraries. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`libs_manage_shared_libs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_manage_shared_libs'($*)) dnl - - gen_require(` - type lib_t, textrel_shlib_t; - ') - - manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_manage_shared_libs'($*)) dnl - ') - - -######################################## -## -## Load and execute functions from shared libraries. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_use_shared_libs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_use_shared_libs'($*)) dnl - - gen_require(` - type lib_t, textrel_shlib_t; - ') - - files_search_usr($1) - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - mmap_exec_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - allow $1 textrel_shlib_t:file execmod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_use_shared_libs'($*)) dnl - ') - - -######################################## -## -## Load and execute functions from shared libraries, -## with legacy support. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_legacy_use_shared_libs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_legacy_use_shared_libs'($*)) dnl - - gen_require(` - type lib_t; - ') - - libs_use_shared_libs($1) - allow $1 lib_t:file execmod; - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_legacy_use_shared_libs'($*)) dnl - ') - - -######################################## -## -## Relabel to and from the type used for -## shared libraries. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for prelink - define(`libs_relabel_shared_libs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_relabel_shared_libs'($*)) dnl - - gen_require(` - type lib_t, textrel_shlib_t; - ') - - relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_relabel_shared_libs'($*)) dnl - ') - - -# This is gentoo specific but cannot use ifdef distro_gentoo here - -######################################## -## -## Create an object in etc with a type transition to -## the ld_so_cache_t type -## -## -## -## Domain allowed access -## -## -## -## -## Class of the resource for which a type transition occurs. -## This is usually file as ld_so_cache is currently not used -## for any other resources. -## -## -## -## -## Name of the resource created for which a type transition occurs -## -## -# - define(`libs_generic_etc_filetrans_ld_so_cache',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_generic_etc_filetrans_ld_so_cache'($*)) dnl - - gen_require(` - type ld_so_cache_t; - ') - - files_etc_filetrans($1, ld_so_cache_t, $2, $3) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_generic_etc_filetrans_ld_so_cache'($*)) dnl - ') - - -########################################## -## -## Create an object in the generic lib location with a type transition -## to the provided type -## -## -## -## Domain allowed access -## -## -## -## -## Target domain towards which a type transition should occur -## -## -## -## -## Class of the resource for which a type transition occurs. -## -## -## -## -## Name of the resource created for which a type transition should occur -## -## -# - define(`libs_lib_filetrans',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_lib_filetrans'($*)) dnl - - gen_require(` - type lib_t; - ') - - filetrans_pattern($1, lib_t, $2, $3, $4) - - libs_search_lib($1) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_lib_filetrans'($*)) dnl - ') - - -######################################## -## -## Relabel to and from the type used -## for generic lib directories. -## -## -## -## Domain allowed access. -## -## -# - define(`libs_relabel_lib_dirs',` dnl - pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `libs_relabel_lib_dirs'($*)) dnl - - gen_require(` - type lib_t; - ') - - relabel_dirs_pattern($1, lib_t, lib_t) - - popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `libs_relabel_lib_dirs'($*)) dnl - ') - - -## - -divert diff --git a/sec-policy/selinux-feffe-policies/files/tmp/feffe.tmp b/sec-policy/selinux-feffe-policies/files/tmp/feffe.tmp deleted file mode 100644 index d4bbaa0..0000000 --- a/sec-policy/selinux-feffe-policies/files/tmp/feffe.tmp +++ /dev/null @@ -1,5160 +0,0 @@ -#line 1 "/usr/share/selinux/mcs/include/support/file_patterns.spt" -# -# Directory patterns (dir) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. directory type -# -#line 12 - - -#line 17 - - -#line 22 - - -#line 27 - - -#line 32 - - -#line 37 - - -#line 42 - - -#line 47 - - -#line 52 - - -#line 57 - - -#line 62 - - -#line 67 - - -#line 72 - - -#line 77 - - -# -# Regular file patterns (file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -#line 90 - - -#line 95 - - -#line 100 - - -#line 105 - - -#line 112 - - -#line 117 - - -#line 122 - - -#line 127 - - -#line 132 - - -#line 137 - - -#line 142 - - -#line 147 - - -#line 152 - - -#line 157 - - -#line 162 - - -#line 167 - - -#line 172 - - -#line 177 - - -# -# Symbolic link patterns (lnk_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -#line 190 - - -#line 195 - - -#line 200 - - -#line 205 - - -#line 210 - - -#line 215 - - -#line 220 - - -#line 225 - - -#line 230 - - -#line 235 - - -#line 240 - - -#line 245 - - -#line 250 - - -# -# (Un)named Pipes/FIFO patterns (fifo_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -#line 263 - - -#line 268 - - -#line 273 - - -#line 278 - - -#line 283 - - -#line 288 - - -#line 293 - - -#line 298 - - -#line 303 - - -#line 308 - - -#line 313 - - -#line 318 - - -#line 323 - - -# -# (Un)named sockets patterns (sock_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -#line 336 - - -#line 341 - - -#line 346 - - -#line 351 - - -#line 356 - - -#line 361 - - -#line 366 - - -#line 371 - - -#line 376 - - -#line 381 - - -#line 386 - - -#line 391 - - -# -# Block device node patterns (blk_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -#line 404 - - -#line 409 - - -#line 414 - - -#line 419 - - -#line 424 - - -#line 429 - - -#line 435 - - -#line 440 - - -#line 445 - - -#line 451 - - -#line 456 - - -#line 461 - - -#line 466 - - -# -# Character device node patterns (chr_file) -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. file type -# -#line 479 - - -#line 484 - - -#line 489 - - -#line 494 - - -#line 499 - - -#line 504 - - -#line 510 - - -#line 515 - - -#line 520 - - -#line 526 - - -#line 531 - - -#line 536 - - -#line 541 - - -# -# File type_transition patterns -# -# Parameters: -# 1. domain type -# 2. container (directory) type -# 3. new object type -# 4. object class(es) -# [optional] 5. filename (c style strcmp ready) -# - -# do not grant $2:dir remove_name -#line 558 - - -#line 563 - - -# -# Admin pattern for file_type -# -# Parameters: -# 1. domain type -# 2. source object type -# -#line 584 - -#line 1 "/usr/share/selinux/mcs/include/support/ipc_patterns.spt" -# -# unix domain socket patterns -# -# Parameters: -# 1. source domain type -# 2. container (directory) type -# 3. socket type -# 4. target domain type -# -#line 14 - - -#line 20 - -#line 1 "/usr/share/selinux/mcs/include/support/obj_perm_sets.spt" -######################################## -# -# Support macros for sets of object classes and permissions -# -# This file should only have object class and permission set macros - they -# can only reference object classes and/or permissions. - - -######################################## -# -# Macros for sets of classes -# - -# -# All directory and file classes -# - - -# -# All non-directory file classes. -# - - -# -# Non-device file classes. -# - - -# -# Device file classes. -# - - -# -# All socket classes. -# - - -# -# Datagram socket classes. -# - - -# -# Stream socket classes. -# - - -# -# Unprivileged socket classes (exclude rawip, netlink, packet). -# - - - -######################################## -# -# Macros for sets of permissions -# - -# -# Permissions to mount and unmount file systems. -# - - -# -# Permissions for using sockets. -# - - -# -# Permissions for creating and using sockets. -# - - -# -# Permissions for using stream sockets. -# - - -# -# Permissions for creating and using stream sockets. -# - - -# -# Permissions for creating and using sockets. -# - - -# -# Permissions for creating and using sockets. -# - - -# -# Permissions for creating and using netlink sockets. -# - - -# -# Permissions for using netlink sockets for operations that modify state. -# - - -# -# Permissions for using netlink sockets for operations that observe state. -# - - -# -# Permissions for sending all signals. -# - - -# -# Permissions for using System V IPC -# - - - - - - - - - - -# -# Directory (dir) -# - - - - - - - - - - - - - - - -# -# Regular file (file) -# - - - - -# deprecated 20171213 -#line 157 - - - - - - - - - - - - - - - - - - - - - - -# -# Symbolic link (lnk_file) -# - - - - - - - - - - - - - - -# -# (Un)named Pipes/FIFOs (fifo_file) -# - - - - - - - - - - - - - - - -# -# (Un)named Sockets (sock_file) -# - - - - - - - - - - - - - -# -# Block device nodes (blk_file) -# - - - - - - - - - - - - - - -# -# Character device nodes (chr_file) -# - - - - - - - - - - - - - - - -######################################## -# -# Special permission sets -# - -# -# Use (read and write) terminals -# - - - -# -# Sockets -# - - - -# -# Keys -# - -#line 1 "/usr/share/selinux/mcs/include/support/misc_patterns.spt" -# -# Common domain transition pattern perms -# -# Parameters: -# 1. source domain -# 2. entry point file type -# 3. target domain -# -#line 13 - - -# compatibility: Deprecated (20161201) -#line 19 - - - -# -# Specified domain transition patterns -# -# Parameters: -# 1. source domain -# 2. entry point file type -# 3. target domain -# -#line 37 - - -# -# Automatic domain transition patterns -# -# Parameters: -# 1. source domain -# 2. entry point file type -# 3. target domain -# -#line 50 - - -# compatibility: Deprecated (20161201) -#line 56 - - -# -# Automatic domain transition patterns -# with feedback permissions -# -# Parameters: -# 1. source domain -# 2. entry point file type -# 3. target domain -# -#line 73 - - -# -# Dynamic transition pattern -# -# Parameters: -# 1. source domain -# 2. target domain -# -#line 86 - - -# -# Read foreign domain proc data -# -# Parameters: -# 1. source domain -# 2. target domain -# -#line 100 - - -# -# Process administration pattern -# -# Parameters: -# 1. source domain -# 2. target domain -# -#line 113 - -#line 1 "/usr/share/selinux/mcs/include/support/misc_macros.spt" - -######################################## -# -# Helper macros -# - -# -# shiftn(num,list...) -# -# shift the list num times -# - - -# -# ifndef(expr,true_block,false_block) -# -# m4 does not have this. -# - - -# -# __endline__ -# -# dummy macro to insert a newline. used for -# errprint, so the close parentheses can be -# indented correctly. -# -#line 29 - - -######################################## -# -# refpolwarn(message) -# -# print a warning message -# - - -######################################## -# -# refpolerr(message) -# -# print an error message. -# - - -######################################## -# -# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories]) -# -#line 57 - - -######################################## -# -# gen_context(context,mls_sensitivity,[mcs_categories]) -# -#line 64 - -######################################## -# -# can_exec(domain,executable) -# - - -######################################## -# -# gen_bool(name,default_value) -# -#line 77 - -#line 1 "/usr/share/selinux/mcs/include/support/all_perms.spt" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -#line 228 - - -#line 266 - -#line 1 "/usr/share/selinux/mcs/include/support/mls_mcs_macros.spt" -######################################## -# -# gen_cats(N) -# -# declares categores c0 to c(N-1) -# -#line 10 - - - - -######################################## -# -# gen_sens(N) -# -# declares sensitivites s0 to s(N-1) with dominance -# in increasing numeric order with s0 lowest, s(N-1) highest -# -#line 24 - - - - -#line 34 - - -######################################## -# -# gen_levels(N,M) -# -# levels from s0 to (N-1) with categories c0 to (M-1) -# -#line 45 - - - - -######################################## -# -# Basic level names for system low and high -# - - - - - -#line 1 "/usr/share/selinux/mcs/include/support/loadable_module.spt" -######################################## -# -# Macros for switching between source policy -# and loadable policy module support -# - -############################## -# -# For adding the module statement -# -#line 30 - - -############################## -# -# For use in interfaces, to optionally insert a require block -# -#line 48 - - -# helper function, since m4 wont expand macros -# if a line is a comment (#): -#line 55 - -############################## -# -# In the future interfaces should be in loadable modules -# -# template(name,rules) -# -#line 71 - - -############################## -# -# In the future interfaces should be in loadable modules -# -# interface(name,rules) -# -#line 88 - - - - -############################## -# -# Optional policy handling -# -#line 102 - - -############################## -# -# Determine if we should use the default -# tunable value as specified by the policy -# or if the override value should be used -# - - -############################## -# -# Extract booleans out of an expression. -# This needs to be reworked so expressions -# with parentheses can work. - -#line 123 - - -############################## -# -# Tunable declaration -# -#line 131 - - -############################## -# -# Tunable policy handling -# -#line 146 - -#line 285730 "tmp/all_interfaces.conf" - -#line 1 "feffe.te" - -#line 1 - -#line 1 - module feffe 1.0; -#line 1 - -#line 1 - require { -#line 1 - role system_r; -#line 1 - -#line 1 - class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans }; -#line 1 - class process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit }; -#line 1 - class system { ipc_info syslog_read syslog_mod syslog_console module_request module_load halt reboot status start stop enable disable reload }; -#line 1 - class capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; -#line 1 - class filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; -#line 1 - class file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads execute_no_trans entrypoint }; -#line 1 - class dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir }; -#line 1 - class fd { use }; -#line 1 - class lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads }; -#line 1 - class chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads }; -#line 1 - class blk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads }; -#line 1 - class sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads }; -#line 1 - class fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads }; -#line 1 - class socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class tcp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect }; -#line 1 - class udp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind }; -#line 1 - class rawip_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind }; -#line 1 - class node { recvfrom sendto }; -#line 1 - class netif { ingress egress }; -#line 1 - class netlink_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class packet_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class key_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class unix_stream_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto }; -#line 1 - class unix_dgram_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class sem { create destroy getattr setattr read write associate unix_read unix_write }; -#line 1 - class msg { send receive }; -#line 1 - class msgq { create destroy getattr setattr read write associate unix_read unix_write enqueue }; -#line 1 - class shm { create destroy getattr setattr read write associate unix_read unix_write lock }; -#line 1 - class ipc { create destroy getattr setattr read write associate unix_read unix_write }; -#line 1 - class netlink_route_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write }; -#line 1 - class obsolete_netlink_firewall_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write }; -#line 1 - class netlink_tcpdiag_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write }; -#line 1 - class netlink_nflog_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_xfrm_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write }; -#line 1 - class netlink_selinux_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_audit_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit }; -#line 1 - class obsolete_netlink_ip6fw_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write }; -#line 1 - class netlink_dnrt_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class association { sendto recvfrom setcontext polmatch }; -#line 1 - class netlink_kobject_uevent_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class appletalk_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class packet { send recv relabelto forward_in forward_out }; -#line 1 - class key { view read write search link setattr create }; -#line 1 - class dccp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect }; -#line 1 - class memprotect { mmap_zero }; -#line 1 - class peer { recv }; -#line 1 - class capability2 { mac_override mac_admin syslog wake_alarm block_suspend audit_read }; -#line 1 - class kernel_service { use_as_override create_files_as }; -#line 1 - class tun_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue }; -#line 1 - class binder { impersonate call set_context_mgr transfer }; -#line 1 - class netlink_iscsi_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_fib_lookup_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_connector_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_netfilter_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_generic_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_scsitransport_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_rdma_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netlink_crypto_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class infiniband_pkey { access }; -#line 1 - class infiniband_endport { manage_subnet }; -#line 1 - class cap_userns { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; -#line 1 - class cap2_userns { mac_override mac_admin syslog wake_alarm block_suspend audit_read }; -#line 1 - class sctp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect association }; -#line 1 - class icmp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind }; -#line 1 - class ax25_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class ipx_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class netrom_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class atmpvc_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class x25_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class rose_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class decnet_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class atmsvc_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class rds_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class irda_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class pppox_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class llc_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class can_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class tipc_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class bluetooth_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class iucv_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class rxrpc_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class isdn_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class phonet_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class ieee802154_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class caif_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class alg_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class nfc_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class vsock_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class kcm_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class qipcrtr_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class smc_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class process2 { nnp_transition nosuid_transition }; -#line 1 - class bpf { map_create map_read map_write prog_load prog_run }; -#line 1 - class xdp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind }; -#line 1 - class perf_event { open cpu kernel tracepoint read write }; -#line 1 - -#line 1 - -#line 1 - -#line 1 - sensitivity s0; -#line 1 - -#line 1 - category c0; -#line 1 -category c1; -#line 1 -category c2; -#line 1 -category c3; -#line 1 -category c4; -#line 1 -category c5; -#line 1 -category c6; -#line 1 -category c7; -#line 1 -category c8; -#line 1 -category c9; -#line 1 -category c10; -#line 1 -category c11; -#line 1 -category c12; -#line 1 -category c13; -#line 1 -category c14; -#line 1 -category c15; -#line 1 -category c16; -#line 1 -category c17; -#line 1 -category c18; -#line 1 -category c19; -#line 1 -category c20; -#line 1 -category c21; -#line 1 -category c22; -#line 1 -category c23; -#line 1 -category c24; -#line 1 -category c25; -#line 1 -category c26; -#line 1 -category c27; -#line 1 -category c28; -#line 1 -category c29; -#line 1 -category c30; -#line 1 -category c31; -#line 1 -category c32; -#line 1 -category c33; -#line 1 -category c34; -#line 1 -category c35; -#line 1 -category c36; -#line 1 -category c37; -#line 1 -category c38; -#line 1 -category c39; -#line 1 -category c40; -#line 1 -category c41; -#line 1 -category c42; -#line 1 -category c43; -#line 1 -category c44; -#line 1 -category c45; -#line 1 -category c46; -#line 1 -category c47; -#line 1 -category c48; -#line 1 -category c49; -#line 1 -category c50; -#line 1 -category c51; -#line 1 -category c52; -#line 1 -category c53; -#line 1 -category c54; -#line 1 -category c55; -#line 1 -category c56; -#line 1 -category c57; -#line 1 -category c58; -#line 1 -category c59; -#line 1 -category c60; -#line 1 -category c61; -#line 1 -category c62; -#line 1 -category c63; -#line 1 -category c64; -#line 1 -category c65; -#line 1 -category c66; -#line 1 -category c67; -#line 1 -category c68; -#line 1 -category c69; -#line 1 -category c70; -#line 1 -category c71; -#line 1 -category c72; -#line 1 -category c73; -#line 1 -category c74; -#line 1 -category c75; -#line 1 -category c76; -#line 1 -category c77; -#line 1 -category c78; -#line 1 -category c79; -#line 1 -category c80; -#line 1 -category c81; -#line 1 -category c82; -#line 1 -category c83; -#line 1 -category c84; -#line 1 -category c85; -#line 1 -category c86; -#line 1 -category c87; -#line 1 -category c88; -#line 1 -category c89; -#line 1 -category c90; -#line 1 -category c91; -#line 1 -category c92; -#line 1 -category c93; -#line 1 -category c94; -#line 1 -category c95; -#line 1 -category c96; -#line 1 -category c97; -#line 1 -category c98; -#line 1 -category c99; -#line 1 -category c100; -#line 1 -category c101; -#line 1 -category c102; -#line 1 -category c103; -#line 1 -category c104; -#line 1 -category c105; -#line 1 -category c106; -#line 1 -category c107; -#line 1 -category c108; -#line 1 -category c109; -#line 1 -category c110; -#line 1 -category c111; -#line 1 -category c112; -#line 1 -category c113; -#line 1 -category c114; -#line 1 -category c115; -#line 1 -category c116; -#line 1 -category c117; -#line 1 -category c118; -#line 1 -category c119; -#line 1 -category c120; -#line 1 -category c121; -#line 1 -category c122; -#line 1 -category c123; -#line 1 -category c124; -#line 1 -category c125; -#line 1 -category c126; -#line 1 -category c127; -#line 1 -category c128; -#line 1 -category c129; -#line 1 -category c130; -#line 1 -category c131; -#line 1 -category c132; -#line 1 -category c133; -#line 1 -category c134; -#line 1 -category c135; -#line 1 -category c136; -#line 1 -category c137; -#line 1 -category c138; -#line 1 -category c139; -#line 1 -category c140; -#line 1 -category c141; -#line 1 -category c142; -#line 1 -category c143; -#line 1 -category c144; -#line 1 -category c145; -#line 1 -category c146; -#line 1 -category c147; -#line 1 -category c148; -#line 1 -category c149; -#line 1 -category c150; -#line 1 -category c151; -#line 1 -category c152; -#line 1 -category c153; -#line 1 -category c154; -#line 1 -category c155; -#line 1 -category c156; -#line 1 -category c157; -#line 1 -category c158; -#line 1 -category c159; -#line 1 -category c160; -#line 1 -category c161; -#line 1 -category c162; -#line 1 -category c163; -#line 1 -category c164; -#line 1 -category c165; -#line 1 -category c166; -#line 1 -category c167; -#line 1 -category c168; -#line 1 -category c169; -#line 1 -category c170; -#line 1 -category c171; -#line 1 -category c172; -#line 1 -category c173; -#line 1 -category c174; -#line 1 -category c175; -#line 1 -category c176; -#line 1 -category c177; -#line 1 -category c178; -#line 1 -category c179; -#line 1 -category c180; -#line 1 -category c181; -#line 1 -category c182; -#line 1 -category c183; -#line 1 -category c184; -#line 1 -category c185; -#line 1 -category c186; -#line 1 -category c187; -#line 1 -category c188; -#line 1 -category c189; -#line 1 -category c190; -#line 1 -category c191; -#line 1 -category c192; -#line 1 -category c193; -#line 1 -category c194; -#line 1 -category c195; -#line 1 -category c196; -#line 1 -category c197; -#line 1 -category c198; -#line 1 -category c199; -#line 1 -category c200; -#line 1 -category c201; -#line 1 -category c202; -#line 1 -category c203; -#line 1 -category c204; -#line 1 -category c205; -#line 1 -category c206; -#line 1 -category c207; -#line 1 -category c208; -#line 1 -category c209; -#line 1 -category c210; -#line 1 -category c211; -#line 1 -category c212; -#line 1 -category c213; -#line 1 -category c214; -#line 1 -category c215; -#line 1 -category c216; -#line 1 -category c217; -#line 1 -category c218; -#line 1 -category c219; -#line 1 -category c220; -#line 1 -category c221; -#line 1 -category c222; -#line 1 -category c223; -#line 1 -category c224; -#line 1 -category c225; -#line 1 -category c226; -#line 1 -category c227; -#line 1 -category c228; -#line 1 -category c229; -#line 1 -category c230; -#line 1 -category c231; -#line 1 -category c232; -#line 1 -category c233; -#line 1 -category c234; -#line 1 -category c235; -#line 1 -category c236; -#line 1 -category c237; -#line 1 -category c238; -#line 1 -category c239; -#line 1 -category c240; -#line 1 -category c241; -#line 1 -category c242; -#line 1 -category c243; -#line 1 -category c244; -#line 1 -category c245; -#line 1 -category c246; -#line 1 -category c247; -#line 1 -category c248; -#line 1 -category c249; -#line 1 -category c250; -#line 1 -category c251; -#line 1 -category c252; -#line 1 -category c253; -#line 1 -category c254; -#line 1 -category c255; -#line 1 -category c256; -#line 1 -category c257; -#line 1 -category c258; -#line 1 -category c259; -#line 1 -category c260; -#line 1 -category c261; -#line 1 -category c262; -#line 1 -category c263; -#line 1 -category c264; -#line 1 -category c265; -#line 1 -category c266; -#line 1 -category c267; -#line 1 -category c268; -#line 1 -category c269; -#line 1 -category c270; -#line 1 -category c271; -#line 1 -category c272; -#line 1 -category c273; -#line 1 -category c274; -#line 1 -category c275; -#line 1 -category c276; -#line 1 -category c277; -#line 1 -category c278; -#line 1 -category c279; -#line 1 -category c280; -#line 1 -category c281; -#line 1 -category c282; -#line 1 -category c283; -#line 1 -category c284; -#line 1 -category c285; -#line 1 -category c286; -#line 1 -category c287; -#line 1 -category c288; -#line 1 -category c289; -#line 1 -category c290; -#line 1 -category c291; -#line 1 -category c292; -#line 1 -category c293; -#line 1 -category c294; -#line 1 -category c295; -#line 1 -category c296; -#line 1 -category c297; -#line 1 -category c298; -#line 1 -category c299; -#line 1 -category c300; -#line 1 -category c301; -#line 1 -category c302; -#line 1 -category c303; -#line 1 -category c304; -#line 1 -category c305; -#line 1 -category c306; -#line 1 -category c307; -#line 1 -category c308; -#line 1 -category c309; -#line 1 -category c310; -#line 1 -category c311; -#line 1 -category c312; -#line 1 -category c313; -#line 1 -category c314; -#line 1 -category c315; -#line 1 -category c316; -#line 1 -category c317; -#line 1 -category c318; -#line 1 -category c319; -#line 1 -category c320; -#line 1 -category c321; -#line 1 -category c322; -#line 1 -category c323; -#line 1 -category c324; -#line 1 -category c325; -#line 1 -category c326; -#line 1 -category c327; -#line 1 -category c328; -#line 1 -category c329; -#line 1 -category c330; -#line 1 -category c331; -#line 1 -category c332; -#line 1 -category c333; -#line 1 -category c334; -#line 1 -category c335; -#line 1 -category c336; -#line 1 -category c337; -#line 1 -category c338; -#line 1 -category c339; -#line 1 -category c340; -#line 1 -category c341; -#line 1 -category c342; -#line 1 -category c343; -#line 1 -category c344; -#line 1 -category c345; -#line 1 -category c346; -#line 1 -category c347; -#line 1 -category c348; -#line 1 -category c349; -#line 1 -category c350; -#line 1 -category c351; -#line 1 -category c352; -#line 1 -category c353; -#line 1 -category c354; -#line 1 -category c355; -#line 1 -category c356; -#line 1 -category c357; -#line 1 -category c358; -#line 1 -category c359; -#line 1 -category c360; -#line 1 -category c361; -#line 1 -category c362; -#line 1 -category c363; -#line 1 -category c364; -#line 1 -category c365; -#line 1 -category c366; -#line 1 -category c367; -#line 1 -category c368; -#line 1 -category c369; -#line 1 -category c370; -#line 1 -category c371; -#line 1 -category c372; -#line 1 -category c373; -#line 1 -category c374; -#line 1 -category c375; -#line 1 -category c376; -#line 1 -category c377; -#line 1 -category c378; -#line 1 -category c379; -#line 1 -category c380; -#line 1 -category c381; -#line 1 -category c382; -#line 1 -category c383; -#line 1 -category c384; -#line 1 -category c385; -#line 1 -category c386; -#line 1 -category c387; -#line 1 -category c388; -#line 1 -category c389; -#line 1 -category c390; -#line 1 -category c391; -#line 1 -category c392; -#line 1 -category c393; -#line 1 -category c394; -#line 1 -category c395; -#line 1 -category c396; -#line 1 -category c397; -#line 1 -category c398; -#line 1 -category c399; -#line 1 -category c400; -#line 1 -category c401; -#line 1 -category c402; -#line 1 -category c403; -#line 1 -category c404; -#line 1 -category c405; -#line 1 -category c406; -#line 1 -category c407; -#line 1 -category c408; -#line 1 -category c409; -#line 1 -category c410; -#line 1 -category c411; -#line 1 -category c412; -#line 1 -category c413; -#line 1 -category c414; -#line 1 -category c415; -#line 1 -category c416; -#line 1 -category c417; -#line 1 -category c418; -#line 1 -category c419; -#line 1 -category c420; -#line 1 -category c421; -#line 1 -category c422; -#line 1 -category c423; -#line 1 -category c424; -#line 1 -category c425; -#line 1 -category c426; -#line 1 -category c427; -#line 1 -category c428; -#line 1 -category c429; -#line 1 -category c430; -#line 1 -category c431; -#line 1 -category c432; -#line 1 -category c433; -#line 1 -category c434; -#line 1 -category c435; -#line 1 -category c436; -#line 1 -category c437; -#line 1 -category c438; -#line 1 -category c439; -#line 1 -category c440; -#line 1 -category c441; -#line 1 -category c442; -#line 1 -category c443; -#line 1 -category c444; -#line 1 -category c445; -#line 1 -category c446; -#line 1 -category c447; -#line 1 -category c448; -#line 1 -category c449; -#line 1 -category c450; -#line 1 -category c451; -#line 1 -category c452; -#line 1 -category c453; -#line 1 -category c454; -#line 1 -category c455; -#line 1 -category c456; -#line 1 -category c457; -#line 1 -category c458; -#line 1 -category c459; -#line 1 -category c460; -#line 1 -category c461; -#line 1 -category c462; -#line 1 -category c463; -#line 1 -category c464; -#line 1 -category c465; -#line 1 -category c466; -#line 1 -category c467; -#line 1 -category c468; -#line 1 -category c469; -#line 1 -category c470; -#line 1 -category c471; -#line 1 -category c472; -#line 1 -category c473; -#line 1 -category c474; -#line 1 -category c475; -#line 1 -category c476; -#line 1 -category c477; -#line 1 -category c478; -#line 1 -category c479; -#line 1 -category c480; -#line 1 -category c481; -#line 1 -category c482; -#line 1 -category c483; -#line 1 -category c484; -#line 1 -category c485; -#line 1 -category c486; -#line 1 -category c487; -#line 1 -category c488; -#line 1 -category c489; -#line 1 -category c490; -#line 1 -category c491; -#line 1 -category c492; -#line 1 -category c493; -#line 1 -category c494; -#line 1 -category c495; -#line 1 -category c496; -#line 1 -category c497; -#line 1 -category c498; -#line 1 -category c499; -#line 1 -category c500; -#line 1 -category c501; -#line 1 -category c502; -#line 1 -category c503; -#line 1 -category c504; -#line 1 -category c505; -#line 1 -category c506; -#line 1 -category c507; -#line 1 -category c508; -#line 1 -category c509; -#line 1 -category c510; -#line 1 -category c511; -#line 1 -category c512; -#line 1 -category c513; -#line 1 -category c514; -#line 1 -category c515; -#line 1 -category c516; -#line 1 -category c517; -#line 1 -category c518; -#line 1 -category c519; -#line 1 -category c520; -#line 1 -category c521; -#line 1 -category c522; -#line 1 -category c523; -#line 1 -category c524; -#line 1 -category c525; -#line 1 -category c526; -#line 1 -category c527; -#line 1 -category c528; -#line 1 -category c529; -#line 1 -category c530; -#line 1 -category c531; -#line 1 -category c532; -#line 1 -category c533; -#line 1 -category c534; -#line 1 -category c535; -#line 1 -category c536; -#line 1 -category c537; -#line 1 -category c538; -#line 1 -category c539; -#line 1 -category c540; -#line 1 -category c541; -#line 1 -category c542; -#line 1 -category c543; -#line 1 -category c544; -#line 1 -category c545; -#line 1 -category c546; -#line 1 -category c547; -#line 1 -category c548; -#line 1 -category c549; -#line 1 -category c550; -#line 1 -category c551; -#line 1 -category c552; -#line 1 -category c553; -#line 1 -category c554; -#line 1 -category c555; -#line 1 -category c556; -#line 1 -category c557; -#line 1 -category c558; -#line 1 -category c559; -#line 1 -category c560; -#line 1 -category c561; -#line 1 -category c562; -#line 1 -category c563; -#line 1 -category c564; -#line 1 -category c565; -#line 1 -category c566; -#line 1 -category c567; -#line 1 -category c568; -#line 1 -category c569; -#line 1 -category c570; -#line 1 -category c571; -#line 1 -category c572; -#line 1 -category c573; -#line 1 -category c574; -#line 1 -category c575; -#line 1 -category c576; -#line 1 -category c577; -#line 1 -category c578; -#line 1 -category c579; -#line 1 -category c580; -#line 1 -category c581; -#line 1 -category c582; -#line 1 -category c583; -#line 1 -category c584; -#line 1 -category c585; -#line 1 -category c586; -#line 1 -category c587; -#line 1 -category c588; -#line 1 -category c589; -#line 1 -category c590; -#line 1 -category c591; -#line 1 -category c592; -#line 1 -category c593; -#line 1 -category c594; -#line 1 -category c595; -#line 1 -category c596; -#line 1 -category c597; -#line 1 -category c598; -#line 1 -category c599; -#line 1 -category c600; -#line 1 -category c601; -#line 1 -category c602; -#line 1 -category c603; -#line 1 -category c604; -#line 1 -category c605; -#line 1 -category c606; -#line 1 -category c607; -#line 1 -category c608; -#line 1 -category c609; -#line 1 -category c610; -#line 1 -category c611; -#line 1 -category c612; -#line 1 -category c613; -#line 1 -category c614; -#line 1 -category c615; -#line 1 -category c616; -#line 1 -category c617; -#line 1 -category c618; -#line 1 -category c619; -#line 1 -category c620; -#line 1 -category c621; -#line 1 -category c622; -#line 1 -category c623; -#line 1 -category c624; -#line 1 -category c625; -#line 1 -category c626; -#line 1 -category c627; -#line 1 -category c628; -#line 1 -category c629; -#line 1 -category c630; -#line 1 -category c631; -#line 1 -category c632; -#line 1 -category c633; -#line 1 -category c634; -#line 1 -category c635; -#line 1 -category c636; -#line 1 -category c637; -#line 1 -category c638; -#line 1 -category c639; -#line 1 -category c640; -#line 1 -category c641; -#line 1 -category c642; -#line 1 -category c643; -#line 1 -category c644; -#line 1 -category c645; -#line 1 -category c646; -#line 1 -category c647; -#line 1 -category c648; -#line 1 -category c649; -#line 1 -category c650; -#line 1 -category c651; -#line 1 -category c652; -#line 1 -category c653; -#line 1 -category c654; -#line 1 -category c655; -#line 1 -category c656; -#line 1 -category c657; -#line 1 -category c658; -#line 1 -category c659; -#line 1 -category c660; -#line 1 -category c661; -#line 1 -category c662; -#line 1 -category c663; -#line 1 -category c664; -#line 1 -category c665; -#line 1 -category c666; -#line 1 -category c667; -#line 1 -category c668; -#line 1 -category c669; -#line 1 -category c670; -#line 1 -category c671; -#line 1 -category c672; -#line 1 -category c673; -#line 1 -category c674; -#line 1 -category c675; -#line 1 -category c676; -#line 1 -category c677; -#line 1 -category c678; -#line 1 -category c679; -#line 1 -category c680; -#line 1 -category c681; -#line 1 -category c682; -#line 1 -category c683; -#line 1 -category c684; -#line 1 -category c685; -#line 1 -category c686; -#line 1 -category c687; -#line 1 -category c688; -#line 1 -category c689; -#line 1 -category c690; -#line 1 -category c691; -#line 1 -category c692; -#line 1 -category c693; -#line 1 -category c694; -#line 1 -category c695; -#line 1 -category c696; -#line 1 -category c697; -#line 1 -category c698; -#line 1 -category c699; -#line 1 -category c700; -#line 1 -category c701; -#line 1 -category c702; -#line 1 -category c703; -#line 1 -category c704; -#line 1 -category c705; -#line 1 -category c706; -#line 1 -category c707; -#line 1 -category c708; -#line 1 -category c709; -#line 1 -category c710; -#line 1 -category c711; -#line 1 -category c712; -#line 1 -category c713; -#line 1 -category c714; -#line 1 -category c715; -#line 1 -category c716; -#line 1 -category c717; -#line 1 -category c718; -#line 1 -category c719; -#line 1 -category c720; -#line 1 -category c721; -#line 1 -category c722; -#line 1 -category c723; -#line 1 -category c724; -#line 1 -category c725; -#line 1 -category c726; -#line 1 -category c727; -#line 1 -category c728; -#line 1 -category c729; -#line 1 -category c730; -#line 1 -category c731; -#line 1 -category c732; -#line 1 -category c733; -#line 1 -category c734; -#line 1 -category c735; -#line 1 -category c736; -#line 1 -category c737; -#line 1 -category c738; -#line 1 -category c739; -#line 1 -category c740; -#line 1 -category c741; -#line 1 -category c742; -#line 1 -category c743; -#line 1 -category c744; -#line 1 -category c745; -#line 1 -category c746; -#line 1 -category c747; -#line 1 -category c748; -#line 1 -category c749; -#line 1 -category c750; -#line 1 -category c751; -#line 1 -category c752; -#line 1 -category c753; -#line 1 -category c754; -#line 1 -category c755; -#line 1 -category c756; -#line 1 -category c757; -#line 1 -category c758; -#line 1 -category c759; -#line 1 -category c760; -#line 1 -category c761; -#line 1 -category c762; -#line 1 -category c763; -#line 1 -category c764; -#line 1 -category c765; -#line 1 -category c766; -#line 1 -category c767; -#line 1 -category c768; -#line 1 -category c769; -#line 1 -category c770; -#line 1 -category c771; -#line 1 -category c772; -#line 1 -category c773; -#line 1 -category c774; -#line 1 -category c775; -#line 1 -category c776; -#line 1 -category c777; -#line 1 -category c778; -#line 1 -category c779; -#line 1 -category c780; -#line 1 -category c781; -#line 1 -category c782; -#line 1 -category c783; -#line 1 -category c784; -#line 1 -category c785; -#line 1 -category c786; -#line 1 -category c787; -#line 1 -category c788; -#line 1 -category c789; -#line 1 -category c790; -#line 1 -category c791; -#line 1 -category c792; -#line 1 -category c793; -#line 1 -category c794; -#line 1 -category c795; -#line 1 -category c796; -#line 1 -category c797; -#line 1 -category c798; -#line 1 -category c799; -#line 1 -category c800; -#line 1 -category c801; -#line 1 -category c802; -#line 1 -category c803; -#line 1 -category c804; -#line 1 -category c805; -#line 1 -category c806; -#line 1 -category c807; -#line 1 -category c808; -#line 1 -category c809; -#line 1 -category c810; -#line 1 -category c811; -#line 1 -category c812; -#line 1 -category c813; -#line 1 -category c814; -#line 1 -category c815; -#line 1 -category c816; -#line 1 -category c817; -#line 1 -category c818; -#line 1 -category c819; -#line 1 -category c820; -#line 1 -category c821; -#line 1 -category c822; -#line 1 -category c823; -#line 1 -category c824; -#line 1 -category c825; -#line 1 -category c826; -#line 1 -category c827; -#line 1 -category c828; -#line 1 -category c829; -#line 1 -category c830; -#line 1 -category c831; -#line 1 -category c832; -#line 1 -category c833; -#line 1 -category c834; -#line 1 -category c835; -#line 1 -category c836; -#line 1 -category c837; -#line 1 -category c838; -#line 1 -category c839; -#line 1 -category c840; -#line 1 -category c841; -#line 1 -category c842; -#line 1 -category c843; -#line 1 -category c844; -#line 1 -category c845; -#line 1 -category c846; -#line 1 -category c847; -#line 1 -category c848; -#line 1 -category c849; -#line 1 -category c850; -#line 1 -category c851; -#line 1 -category c852; -#line 1 -category c853; -#line 1 -category c854; -#line 1 -category c855; -#line 1 -category c856; -#line 1 -category c857; -#line 1 -category c858; -#line 1 -category c859; -#line 1 -category c860; -#line 1 -category c861; -#line 1 -category c862; -#line 1 -category c863; -#line 1 -category c864; -#line 1 -category c865; -#line 1 -category c866; -#line 1 -category c867; -#line 1 -category c868; -#line 1 -category c869; -#line 1 -category c870; -#line 1 -category c871; -#line 1 -category c872; -#line 1 -category c873; -#line 1 -category c874; -#line 1 -category c875; -#line 1 -category c876; -#line 1 -category c877; -#line 1 -category c878; -#line 1 -category c879; -#line 1 -category c880; -#line 1 -category c881; -#line 1 -category c882; -#line 1 -category c883; -#line 1 -category c884; -#line 1 -category c885; -#line 1 -category c886; -#line 1 -category c887; -#line 1 -category c888; -#line 1 -category c889; -#line 1 -category c890; -#line 1 -category c891; -#line 1 -category c892; -#line 1 -category c893; -#line 1 -category c894; -#line 1 -category c895; -#line 1 -category c896; -#line 1 -category c897; -#line 1 -category c898; -#line 1 -category c899; -#line 1 -category c900; -#line 1 -category c901; -#line 1 -category c902; -#line 1 -category c903; -#line 1 -category c904; -#line 1 -category c905; -#line 1 -category c906; -#line 1 -category c907; -#line 1 -category c908; -#line 1 -category c909; -#line 1 -category c910; -#line 1 -category c911; -#line 1 -category c912; -#line 1 -category c913; -#line 1 -category c914; -#line 1 -category c915; -#line 1 -category c916; -#line 1 -category c917; -#line 1 -category c918; -#line 1 -category c919; -#line 1 -category c920; -#line 1 -category c921; -#line 1 -category c922; -#line 1 -category c923; -#line 1 -category c924; -#line 1 -category c925; -#line 1 -category c926; -#line 1 -category c927; -#line 1 -category c928; -#line 1 -category c929; -#line 1 -category c930; -#line 1 -category c931; -#line 1 -category c932; -#line 1 -category c933; -#line 1 -category c934; -#line 1 -category c935; -#line 1 -category c936; -#line 1 -category c937; -#line 1 -category c938; -#line 1 -category c939; -#line 1 -category c940; -#line 1 -category c941; -#line 1 -category c942; -#line 1 -category c943; -#line 1 -category c944; -#line 1 -category c945; -#line 1 -category c946; -#line 1 -category c947; -#line 1 -category c948; -#line 1 -category c949; -#line 1 -category c950; -#line 1 -category c951; -#line 1 -category c952; -#line 1 -category c953; -#line 1 -category c954; -#line 1 -category c955; -#line 1 -category c956; -#line 1 -category c957; -#line 1 -category c958; -#line 1 -category c959; -#line 1 -category c960; -#line 1 -category c961; -#line 1 -category c962; -#line 1 -category c963; -#line 1 -category c964; -#line 1 -category c965; -#line 1 -category c966; -#line 1 -category c967; -#line 1 -category c968; -#line 1 -category c969; -#line 1 -category c970; -#line 1 -category c971; -#line 1 -category c972; -#line 1 -category c973; -#line 1 -category c974; -#line 1 -category c975; -#line 1 -category c976; -#line 1 -category c977; -#line 1 -category c978; -#line 1 -category c979; -#line 1 -category c980; -#line 1 -category c981; -#line 1 -category c982; -#line 1 -category c983; -#line 1 -category c984; -#line 1 -category c985; -#line 1 -category c986; -#line 1 -category c987; -#line 1 -category c988; -#line 1 -category c989; -#line 1 -category c990; -#line 1 -category c991; -#line 1 -category c992; -#line 1 -category c993; -#line 1 -category c994; -#line 1 -category c995; -#line 1 -category c996; -#line 1 -category c997; -#line 1 -category c998; -#line 1 -category c999; -#line 1 -category c1000; -#line 1 -category c1001; -#line 1 -category c1002; -#line 1 -category c1003; -#line 1 -category c1004; -#line 1 -category c1005; -#line 1 -category c1006; -#line 1 -category c1007; -#line 1 -category c1008; -#line 1 -category c1009; -#line 1 -category c1010; -#line 1 -category c1011; -#line 1 -category c1012; -#line 1 -category c1013; -#line 1 -category c1014; -#line 1 -category c1015; -#line 1 -category c1016; -#line 1 -category c1017; -#line 1 -category c1018; -#line 1 -category c1019; -#line 1 -category c1020; -#line 1 -category c1021; -#line 1 -category c1022; -#line 1 -category c1023; -#line 1 - -#line 1 - -#line 1 - -#line 1 - -#line 1 - } -#line 1 - -#line 1 - - - - -#line 4 - -#line 4 - require { -#line 4 - -#line 4 - attribute file_type; -#line 4 - -#line 4 - type devicekit_disk_t; -#line 4 - type etc_t; -#line 4 - -#line 4 - type mozilla_t; -#line 4 - type xdg_cache_t; -#line 4 - type fs_t; -#line 4 - -#line 4 - } # end require -#line 4 - -#line 13 - - -dontaudit user_t file_type:file watch; -dontaudit user_t file_type:dir watch; -dontaudit devicekit_disk_t etc_t:dir watch; -dontaudit mozilla_t xdg_cache_t:file { read write }; -dontaudit mozilla_t fs_t:filesystem quotaget; - - -#line 21 - bool feffe_cron_sync_to_home false; -#line 21 - - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - -#line 22 -bool feffe_cron_sync_to_home; -#line 22 - -#line 22 - -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - if (feffe_cron_sync_to_home) { -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type system_cronjob_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - -#line 22 -##### begin xdg_read_config_files(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type xdg_config_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t xdg_config_t:dir { getattr search open }; -#line 22 - allow system_cronjob_t xdg_config_t:file { { getattr read lock ioctl } open }; -#line 22 - -#line 22 - allow system_cronjob_t xdg_config_t:file map; -#line 22 - -#line 22 - allow system_cronjob_t xdg_config_t:dir { getattr search open }; -#line 22 - allow system_cronjob_t xdg_config_t:dir { getattr search open read lock ioctl }; -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t xdg_config_t:dir { getattr search open }; -#line 22 - allow system_cronjob_t xdg_config_t:lnk_file { getattr read }; -#line 22 - -#line 22 - -#line 22 - -#line 22 -##### begin userdom_search_user_home_dirs(system_cronjob_t) depth: 2 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type user_home_dir_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t user_home_dir_t:dir { getattr search open }; -#line 22 - -#line 22 -##### begin files_search_home(system_cronjob_t) depth: 3 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type home_root_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t home_root_t:dir { getattr search open }; -#line 22 - allow system_cronjob_t home_root_t:lnk_file { getattr read }; -#line 22 - -#line 22 - -#line 22 -##### end files_search_home(system_cronjob_t) depth: 2 -#line 22 - -#line 22 - -#line 22 - -#line 22 -##### end userdom_search_user_home_dirs(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 -##### end xdg_read_config_files(system_cronjob_t) depth: 0 -#line 22 - -#line 22 - -#line 22 -##### begin corenet_tcp_sendrecv_generic_if(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type netif_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t netif_t:netif { egress ingress }; -#line 22 - -#line 22 - -#line 22 -##### end corenet_tcp_sendrecv_generic_if(system_cronjob_t) depth: 0 -#line 22 - -#line 22 - -#line 22 -##### begin corenet_tcp_sendrecv_generic_node(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type node_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t node_t:node { sendto recvfrom }; -#line 22 - -#line 22 - -#line 22 -##### end corenet_tcp_sendrecv_generic_node(system_cronjob_t) depth: 0 -#line 22 - -#line 22 - -#line 22 -##### begin corenet_tcp_connect_http_port(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type http_port_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t http_port_t:tcp_socket name_connect; -#line 22 - -#line 22 - -#line 22 -##### end corenet_tcp_connect_http_port(system_cronjob_t) depth: 0 -#line 22 - -#line 22 - -#line 22 -##### begin corenet_sendrecv_http_client_packets(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 -##### begin corenet_send_http_client_packets(system_cronjob_t) depth: 2 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type http_client_packet_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t http_client_packet_t:packet send; -#line 22 - -#line 22 - -#line 22 -##### end corenet_send_http_client_packets(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 -##### begin corenet_receive_http_client_packets(system_cronjob_t) depth: 2 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type http_client_packet_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t http_client_packet_t:packet recv; -#line 22 - -#line 22 - -#line 22 -##### end corenet_receive_http_client_packets(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 -##### end corenet_sendrecv_http_client_packets(system_cronjob_t) depth: 0 -#line 22 - -#line 22 - -#line 22 -##### begin miscfiles_read_generic_certs(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type cert_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t cert_t:dir { getattr search open read lock ioctl }; -#line 22 - -#line 22 - allow system_cronjob_t cert_t:dir { getattr search open }; -#line 22 - allow system_cronjob_t cert_t:file { { getattr read lock ioctl } open }; -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t cert_t:dir { getattr search open }; -#line 22 - allow system_cronjob_t cert_t:lnk_file { getattr read }; -#line 22 - -#line 22 - -#line 22 - -#line 22 -##### end miscfiles_read_generic_certs(system_cronjob_t) depth: 0 -#line 22 - -#line 22 - -#line 22 -##### begin userdom_manage_user_home_content_dirs(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type user_home_dir_t, user_home_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t { user_home_dir_t user_home_t }:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 22 - allow system_cronjob_t user_home_t:dir { create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }; -#line 22 - -#line 22 - -#line 22 -##### begin files_search_home(system_cronjob_t) depth: 2 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type home_root_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t home_root_t:dir { getattr search open }; -#line 22 - allow system_cronjob_t home_root_t:lnk_file { getattr read }; -#line 22 - -#line 22 - -#line 22 -##### end files_search_home(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 -##### end userdom_manage_user_home_content_dirs(system_cronjob_t) depth: 0 -#line 22 - -#line 22 - -#line 22 -##### begin userdom_manage_user_home_content_files(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type user_home_dir_t, user_home_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t user_home_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 22 - allow system_cronjob_t user_home_t:file { create open getattr setattr read write append rename link unlink ioctl lock }; -#line 22 - -#line 22 - allow system_cronjob_t user_home_dir_t:dir { getattr search open }; -#line 22 - -#line 22 -##### begin files_search_home(system_cronjob_t) depth: 2 -#line 22 - -#line 22 - -#line 22 - -#line 22 - require { -#line 22 - -#line 22 - type home_root_t; -#line 22 - -#line 22 - } # end require -#line 22 - -#line 22 - -#line 22 - -#line 22 - allow system_cronjob_t home_root_t:dir { getattr search open }; -#line 22 - allow system_cronjob_t home_root_t:lnk_file { getattr read }; -#line 22 - -#line 22 - -#line 22 -##### end files_search_home(system_cronjob_t) depth: 1 -#line 22 - -#line 22 - -#line 22 - -#line 22 -##### end userdom_manage_user_home_content_files(system_cronjob_t) depth: 0 -#line 22 - -#line 22 - allow system_cronjob_t user_home_t:dir { relabelfrom relabelto }; -#line 22 - allow system_cronjob_t user_home_t:file { relabelfrom relabelto }; -#line 22 - -#line 22 - } # end feffe_cron_sync_to_home -#line 37 - - - - -#line 40 - bool feffe_use_xdm false; -#line 40 - - -#line 41 - -#line 41 - -#line 41 - require { -#line 41 - -#line 41 - -#line 41 -bool feffe_use_xdm; -#line 41 - -#line 41 - -#line 41 - -#line 41 - } # end require -#line 41 - -#line 41 - -#line 41 - if (feffe_use_xdm) { -#line 41 - -#line 41 - -#line 41 - -#line 41 - require { -#line 41 - -#line 41 - type system_dbusd_t; -#line 41 - type user_dbusd_t; -#line 41 - type file_context_t; -#line 41 - type kmsg_device_t; -#line 41 - type init_var_run_t; -#line 41 - -#line 41 - } # end require -#line 41 - -#line 41 - -#line 41 - -#line 41 -##### begin dev_rw_dri(user_t) depth: 1 -#line 41 - -#line 41 - -#line 41 - -#line 41 - require { -#line 41 - -#line 41 - type device_t, dri_device_t; -#line 41 - -#line 41 - } # end require -#line 41 - -#line 41 - -#line 41 - -#line 41 - -#line 41 - allow user_t device_t:dir { getattr search open }; -#line 41 - allow user_t dri_device_t:chr_file { getattr open read write append ioctl lock }; -#line 41 - -#line 41 - allow user_t dri_device_t:chr_file map; -#line 41 - -#line 41 - -#line 41 -##### end dev_rw_dri(user_t) depth: 0 -#line 41 - -#line 41 - -#line 41 - allow system_dbusd_t file_context_t:dir { getattr search open }; -#line 41 - allow system_dbusd_t file_context_t:file { { getattr read lock ioctl } open }; -#line 41 - -#line 41 - allow system_dbusd_t kmsg_device_t:chr_file {open write}; -#line 41 - allow user_dbusd_t self:process getcap; -#line 41 - allow system_dbusd_t file_context_t:file map; -#line 41 - allow system_dbusd_t self:process setfscreate; -#line 41 - -#line 41 - allow system_dbusd_t init_var_run_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 41 - allow system_dbusd_t init_var_run_t:dir { create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }; -#line 41 - -#line 41 - -#line 41 - allow system_dbusd_t init_var_run_t:dir { getattr search open }; -#line 41 - allow system_dbusd_t init_var_run_t:file { { getattr read lock ioctl } open }; -#line 41 - -#line 41 - -#line 41 -##### begin fs_manage_cgroup_dirs(system_dbusd_t) depth: 1 -#line 41 - -#line 41 - -#line 41 - -#line 41 - require { -#line 41 - -#line 41 - type cgroup_t; -#line 41 - -#line 41 - -#line 41 - } # end require -#line 41 - -#line 41 - -#line 41 - -#line 41 - -#line 41 - allow system_dbusd_t cgroup_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 41 - allow system_dbusd_t cgroup_t:dir { create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }; -#line 41 - -#line 41 - -#line 41 -##### begin dev_search_sysfs(system_dbusd_t) depth: 2 -#line 41 - -#line 41 - -#line 41 - -#line 41 - require { -#line 41 - -#line 41 - type sysfs_t; -#line 41 - -#line 41 - } # end require -#line 41 - -#line 41 - -#line 41 - -#line 41 - -#line 41 - allow system_dbusd_t sysfs_t:dir { getattr search open }; -#line 41 - allow system_dbusd_t sysfs_t:dir { getattr search open }; -#line 41 - -#line 41 - -#line 41 - -#line 41 -##### end dev_search_sysfs(system_dbusd_t) depth: 1 -#line 41 - -#line 41 - -#line 41 - -#line 41 -##### end fs_manage_cgroup_dirs(system_dbusd_t) depth: 0 -#line 41 - -#line 41 - -#line 41 -##### begin fs_manage_cgroup_files(system_dbusd_t) depth: 1 -#line 41 - -#line 41 - -#line 41 - -#line 41 - require { -#line 41 - -#line 41 - type cgroup_t; -#line 41 - -#line 41 - -#line 41 - } # end require -#line 41 - -#line 41 - -#line 41 - -#line 41 - -#line 41 - allow system_dbusd_t cgroup_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 41 - allow system_dbusd_t cgroup_t:file { create open getattr setattr read write append rename link unlink ioctl lock }; -#line 41 - -#line 41 - -#line 41 -##### begin dev_search_sysfs(system_dbusd_t) depth: 2 -#line 41 - -#line 41 - -#line 41 - -#line 41 - require { -#line 41 - -#line 41 - type sysfs_t; -#line 41 - -#line 41 - } # end require -#line 41 - -#line 41 - -#line 41 - -#line 41 - -#line 41 - allow system_dbusd_t sysfs_t:dir { getattr search open }; -#line 41 - allow system_dbusd_t sysfs_t:dir { getattr search open }; -#line 41 - -#line 41 - -#line 41 - -#line 41 -##### end dev_search_sysfs(system_dbusd_t) depth: 1 -#line 41 - -#line 41 - -#line 41 - -#line 41 -##### end fs_manage_cgroup_files(system_dbusd_t) depth: 0 -#line 41 - -#line 41 - allow system_dbusd_t self:netlink_kobject_uevent_socket {create setopt bind getattr read}; -#line 41 - -#line 41 - } # end feffe_use_xdm -#line 60 - - - - -#line 63 - bool feffe_xscreensaver_read_home false; -#line 63 - - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - -#line 64 -bool feffe_xscreensaver_read_home; -#line 64 - -#line 64 - -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - if (feffe_xscreensaver_read_home) { -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - attribute user_home_content_type; -#line 64 - attribute non_security_file_type; -#line 64 - -#line 64 - type user_t; -#line 64 - type xscreensaver_helper_t; -#line 64 - type xscreensaver_t; -#line 64 - type xdm_t; -#line 64 - type lib_t; -#line 64 - type tmpfs_t; -#line 64 - type bin_t; -#line 64 - type xscreensaver_helper_exec_t; -#line 64 - type fs_t; -#line 64 - type xserver_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### begin dev_rw_dri(xscreensaver_helper_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type device_t, dri_device_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t device_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t dri_device_t:chr_file { getattr open read write append ioctl lock }; -#line 64 - -#line 64 - allow xscreensaver_helper_t dri_device_t:chr_file map; -#line 64 - -#line 64 - -#line 64 -##### end dev_rw_dri(xscreensaver_helper_t) depth: 0 -#line 64 - -#line 64 - -#line 64 -##### begin dev_rw_dri(xscreensaver_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type device_t, dri_device_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t device_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t dri_device_t:chr_file { getattr open read write append ioctl lock }; -#line 64 - -#line 64 - allow xscreensaver_t dri_device_t:chr_file map; -#line 64 - -#line 64 - -#line 64 -##### end dev_rw_dri(xscreensaver_t) depth: 0 -#line 64 - -#line 64 - allow xscreensaver_helper_t xdm_t:fd use; -#line 64 - -#line 64 - allow xscreensaver_helper_t home_root_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t user_home_dir_t:dir { getattr search open }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t user_home_dir_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t user_home_t:dir { getattr search open read lock ioctl }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t user_home_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t user_home_t:file { { getattr read lock ioctl } open }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t lib_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t lib_t:file { getattr open map read execute ioctl execute_no_trans }; -#line 64 - -#line 64 - -#line 64 -##### begin dev_read_sysfs(xscreensaver_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type sysfs_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t sysfs_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t sysfs_t:file { { getattr read lock ioctl } open }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t sysfs_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t sysfs_t:lnk_file { getattr read }; -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t sysfs_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t sysfs_t:dir { getattr search open read lock ioctl }; -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end dev_read_sysfs(xscreensaver_t) depth: 0 -#line 64 - -#line 64 - -#line 64 -##### begin xserver_rw_mesa_shader_cache(xscreensaver_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type mesa_shader_cache_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t mesa_shader_cache_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t mesa_shader_cache_t:dir { { getattr search open lock ioctl write add_name } { getattr search open lock ioctl write remove_name } }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t mesa_shader_cache_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t mesa_shader_cache_t:file { { getattr read write append ioctl lock } open }; -#line 64 - -#line 64 - allow xscreensaver_t mesa_shader_cache_t:file map; -#line 64 - -#line 64 - -#line 64 -##### begin xdg_search_cache_dirs(xscreensaver_t) depth: 2 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type xdg_cache_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t xdg_cache_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t xdg_cache_t:dir { getattr search open }; -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### begin userdom_search_user_home_dirs(xscreensaver_t) depth: 3 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type user_home_dir_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t user_home_dir_t:dir { getattr search open }; -#line 64 - -#line 64 -##### begin files_search_home(xscreensaver_t) depth: 4 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type home_root_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t home_root_t:dir { getattr search open }; -#line 64 - allow xscreensaver_t home_root_t:lnk_file { getattr read }; -#line 64 - -#line 64 - -#line 64 -##### end files_search_home(xscreensaver_t) depth: 3 -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end userdom_search_user_home_dirs(xscreensaver_t) depth: 2 -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end xdg_search_cache_dirs(xscreensaver_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end xserver_rw_mesa_shader_cache(xscreensaver_t) depth: 0 -#line 64 - -#line 64 - -#line 64 -##### begin xserver_rw_mesa_shader_cache(xscreensaver_helper_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type mesa_shader_cache_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t mesa_shader_cache_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t mesa_shader_cache_t:dir { { getattr search open lock ioctl write add_name } { getattr search open lock ioctl write remove_name } }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t mesa_shader_cache_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t mesa_shader_cache_t:file { { getattr read write append ioctl lock } open }; -#line 64 - -#line 64 - allow xscreensaver_helper_t mesa_shader_cache_t:file map; -#line 64 - -#line 64 - -#line 64 -##### begin xdg_search_cache_dirs(xscreensaver_helper_t) depth: 2 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type xdg_cache_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t xdg_cache_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t xdg_cache_t:dir { getattr search open }; -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### begin userdom_search_user_home_dirs(xscreensaver_helper_t) depth: 3 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type user_home_dir_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t user_home_dir_t:dir { getattr search open }; -#line 64 - -#line 64 -##### begin files_search_home(xscreensaver_helper_t) depth: 4 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type home_root_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t home_root_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t home_root_t:lnk_file { getattr read }; -#line 64 - -#line 64 - -#line 64 -##### end files_search_home(xscreensaver_helper_t) depth: 3 -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end userdom_search_user_home_dirs(xscreensaver_helper_t) depth: 2 -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end xdg_search_cache_dirs(xscreensaver_helper_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end xserver_rw_mesa_shader_cache(xscreensaver_helper_t) depth: 0 -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t tmpfs_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 64 - allow xscreensaver_t tmpfs_t:file { create open getattr setattr read write append rename link unlink ioctl lock }; -#line 64 - -#line 64 - allow xscreensaver_t tmpfs_t:file map; -#line 64 - -#line 64 - allow xscreensaver_helper_t bin_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t bin_t:dir { getattr search open }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t xscreensaver_helper_exec_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t xscreensaver_helper_exec_t:file { getattr open map read execute ioctl execute_no_trans }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t bin_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t bin_t:file { getattr open map read execute ioctl execute_no_trans }; -#line 64 - -#line 64 - allow xscreensaver_helper_t self:unix_stream_socket { create getattr connect write read shutdown }; -#line 64 - -#line 64 - allow xscreensaver_helper_t user_home_content_type:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t user_home_content_type:file { { getattr read lock ioctl } open }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_t fs_t:filesystem getattr; -#line 64 - -#line 64 -##### begin xdg_manage_cache(xscreensaver_helper_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type xdg_cache_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t xdg_cache_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 64 - allow xscreensaver_helper_t xdg_cache_t:dir { create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t xdg_cache_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 64 - allow xscreensaver_helper_t xdg_cache_t:file { create open getattr setattr read write append rename link unlink ioctl lock }; -#line 64 - -#line 64 - allow xscreensaver_helper_t xdg_cache_t:file map; -#line 64 - -#line 64 - allow xscreensaver_helper_t xdg_cache_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 64 - allow xscreensaver_helper_t xdg_cache_t:lnk_file { create read write getattr setattr link unlink rename ioctl lock }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t xdg_cache_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 64 - allow xscreensaver_helper_t xdg_cache_t:fifo_file { create open getattr setattr read write append rename link unlink ioctl lock }; -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t xdg_cache_t:dir { open read getattr lock search ioctl add_name remove_name write }; -#line 64 - allow xscreensaver_helper_t xdg_cache_t:sock_file { create open getattr setattr read write rename link unlink ioctl lock append }; -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### begin userdom_search_user_home_dirs(xscreensaver_helper_t) depth: 2 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type user_home_dir_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t user_home_dir_t:dir { getattr search open }; -#line 64 - -#line 64 -##### begin files_search_home(xscreensaver_helper_t) depth: 3 -#line 64 - -#line 64 - -#line 64 - -#line 64 - require { -#line 64 - -#line 64 - type home_root_t; -#line 64 - -#line 64 - } # end require -#line 64 - -#line 64 - -#line 64 - -#line 64 - allow xscreensaver_helper_t home_root_t:dir { getattr search open }; -#line 64 - allow xscreensaver_helper_t home_root_t:lnk_file { getattr read }; -#line 64 - -#line 64 - -#line 64 -##### end files_search_home(xscreensaver_helper_t) depth: 2 -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end userdom_search_user_home_dirs(xscreensaver_helper_t) depth: 1 -#line 64 - -#line 64 - -#line 64 - -#line 64 -##### end xdg_manage_cache(xscreensaver_helper_t) depth: 0 -#line 64 - -#line 64 - -#line 64 - dontaudit xscreensaver_helper_t non_security_file_type:file map; -#line 64 - dontaudit xscreensaver_helper_t non_security_file_type:dir search; -#line 64 - dontaudit xscreensaver_helper_t xserver_t:fd use; -#line 64 - dontaudit xscreensaver_t self:process execmem; -#line 64 - dontaudit xscreensaver_t user_home_content_type:dir search; -#line 64 - -#line 64 - } # end feffe_xscreensaver_read_home -#line 106 - - diff --git a/sec-policy/selinux-feffe-policies/files/tmp/iferror.m4 b/sec-policy/selinux-feffe-policies/files/tmp/iferror.m4 deleted file mode 100644 index a3f36f8..0000000 --- a/sec-policy/selinux-feffe-policies/files/tmp/iferror.m4 +++ /dev/null @@ -1 +0,0 @@ -ifdef(`__if_error',`m4exit(1)')